search

xmppjs / xmpp.js

XMPP for JavaScript
ISC License
2.19k stars 375 forks source link

Update dependencies for security advisories #906

Closed dceejay closed 3 years ago

dceejay commented 3 years ago

⚠ If you need help with XMPP itself, please visit https://xmpp.org/community/ instead.

Describe the bug A clear and concise description of what the bug is.

What is the release process to update dependencies to fix security issues in build dependencies ? eg 52 similar to below from a simple npm audit when installed via npm install @xmpp/client

Logs from npm audit - 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.21                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-red-node-xmpp                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-red-node-xmpp > @xmpp/client > @babel/core > lodash     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1673                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Environment Mac OS Nodejs 14.17.2 or Raspbian 12.22.2

dceejay commented 3 years ago

sorry - is OK if I use --production flag on install