search

vadimdemedes / mongorito

🍹 MongoDB ODM for Node.js apps based on Redux
1.38k stars 90 forks source link

found 1 low severity vulnerability #213

Closed rottenoats closed 5 years ago

rottenoats commented 5 years ago

After installing mongorito, node notifies me of a vulnerability. After further inspection, it would appear that version 3.0.4 from the npm packages uses mquery version 1.11.0, while the 3.0.4 version here uses version 3.0.0 of mquery. 


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mongorito                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mongorito > mquery > debug                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 173 scanned packages
  1 vulnerability requires manual review. See the full report for details.
vadimdemedes commented 5 years ago

Seems it's not an issue anymore:

❯ npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 7313 scanned packages