define-property
define-property copied to clipboard
jonschlinkert
Security warning for mocha dependency
Please update the mocha dependency in order to resolve multiple npm audit warnings.
$ npm install
npm WARN deprecated [email protected]: Please use the native JSON object instead of JSON 3
npm WARN deprecated [email protected]: Removed event-stream from gulp-header
npm notice created a lockfile as package-lock.json. You should commit this file.
added 175 packages from 433 contributors and audited 418 packages in 2.629s
found 3 vulnerabilities (2 low, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
define-property (master)$ npm audit
=== npm audit security report ===
# Run npm install --save-dev [email protected] to resolve 3 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mocha > growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/146 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mocha > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mocha [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ mocha > mkdirp > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (2 low, 1 critical) in 418 scanned packages
3 vulnerabilities require semver-major dependency updates.
Hi @jonschlinkert, could you please update all your (dev)dependencies?
would rather want to see this being updated, perhaps he just a little reminder (friendly ping)
It's been months. I already posted a patch. Absolutely no response. Hence, a fork for security purposes.