You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/04/23 01:42:24 UTC
[GitHub] [pulsar-client-node] hrsakai opened a new pull request #28: Upgrade
js-yaml to fix security vulnerability
hrsakai opened a new pull request #28: Upgrade js-yaml to fix security vulnerability
URL: https://github.com/apache/pulsar-client-node/pull/28
upgrade js-yaml from `3.13.0` to `3.13.1`.
`tar` package also has security vulnerability, but the latest version of `node-gyp` package(requires `tar` package) still uses a version of `tar` includes security vulnerability.
```
$ npm audit
=== npm audit security report ===
# Run npm update js-yaml --depth 6 to resolve 3 vulnerabilities
High Code Injection
Package js-yaml
Dependency of eslint [dev]
Path eslint > js-yaml
More info https://nodesecurity.io/advisories/813
High Code Injection
Package js-yaml
Dependency of grunt [dev]
Path grunt > js-yaml
More info https://nodesecurity.io/advisories/813
High Code Injection
Package js-yaml
Dependency of jest [dev]
Path jest > jest-cli > @jest/core > @jest/reporters >
istanbul-api > js-yaml
More info https://nodesecurity.io/advisories/813
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of node-gyp [dev]
Path node-gyp > tar
More info https://nodesecurity.io/advisories/803
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services