jason0x43
commented
3 years ago @theintern/common has been updated to 0.2.4, which takes care of the significant vulnerabilities.
Closed Biboba closed 3 years ago
jason0x43
commented
3 years ago @theintern/common has been updated to 0.2.4, which takes care of the significant vulnerabilities.
Biboba
commented
3 years ago Thanks for your quick reply and for the fix ! Indeed "high" vulnerabilities are now gone but still 4 low remains:
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install intern@4.8.0, which is a breaking change
node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
handlebars 3.0.0 - 4.7.3
Depends on vulnerable versions of optimist
node_modules/handlebars
intern 4.3.6 || >=4.8.1
Depends on vulnerable versions of handlebars
node_modules/intern
RoystonS
commented
3 years ago 4.9.0 has a dependency on handlebars ~4.5.34.5.3 has a vulnerability in it (https://nvd.nist.gov/vuln/detail/CVE-2019-20920)As the dependency is ~4.5.3 and not ^4.5.3 that precludes consumers from using handlebars 4.6.0 so they're stuck with the vulnerable version.
mxcl
commented
3 years ago I migrated away from this package because of this. More than 3 months with vulnerabilities? Umm… nice job.
jason0x43
commented
3 years ago Dependencies are being updated, but as Dan Abramov recently pointed out, npm audit's results are frequently not meaningful.
Expected behavior
Installing intern with
npm install internshould not install packages containing known vulnerabilites.Current behavior
Installing intern with
npm install interninstall packages containing 8 vulnerabilities (3 low, 5 high). After installing intern and runningnpm audit, the following output is logged:Possible solution
Update intern dependencies
Steps to reproduce (for bugs)
Environment
Intern version: 4.9.0 Node version: 15.7.0 NPM version: 7.4.3 Browser version:
Additional information
Thanks for this library !