You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/07/27 02:48:35 UTC
[GitHub] [pulsar-client-node] hrsakai opened a new pull request #166: Upgrade package that has security vulnerabilities
hrsakai opened a new pull request #166:
URL: https://github.com/apache/pulsar-client-node/pull/166
Ran `npm audit fix` to fix security vulnerabilities.
```
$ npm install
.
.
found 3270 vulnerabilities (82 moderate, 3188 high)
run `npm audit fix` to fix them, or `npm audit` for details
$ npm audit fix
.
.
fixed 3269 of 3270 vulnerabilities in 954 scanned packages
1 vulnerability required manual review and could not be updated
```
We have to upgrade ssri to `v6.0.2 or above` to fix following security vulnerability, but `npm-registry-client` dependency is `"ssri": "^5.2.4"`.So we can't fix it.
https://github.com/npm/npm-registry-client/blob/v8.6.0/package.json#L32
`ssri` is devDependency , so I ignore this security vulnerability on this time.
```
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ssri │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=6.0.2 <7.0.0 || >=7.1.1 < 8.0.0 || >= 8.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ dtslint [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ dtslint > @definitelytyped/utils > npm-registry-client > │
│ │ ssri │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/565 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 954 scanned packages
1 vulnerability requires manual review. See the full report for details.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar-client-node] massakam merged pull request #166: Upgrade package that has security vulnerabilities
Posted by GitBox <gi...@apache.org>.
massakam merged pull request #166:
URL: https://github.com/apache/pulsar-client-node/pull/166
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org