Serverless version insecure - `npm audit` recommends updating to 1.32.0

Open mclark-newvistas opened this issue 7 years ago • 1 comments

On line 285: https://github.com/mscifo/pressless/blob/4e727bd0de0754f81f5e77efb960ab125ec62b1a/bin/pressless#L285

we run npm install in ./.pressless, with a package.json file defined on line 136. On line 141: https://github.com/mscifo/pressless/blob/4e727bd0de0754f81f5e77efb960ab125ec62b1a/bin/pressless#L141 we require serverless version 1.17.0. npm install now automatically runs npm audit, which reports:

                  === npm audit security report ===
Run npm install [email protected] to resolve 1 vulnerability

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ https-proxy-agent │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ serverless │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ serverless > https-proxy-agent │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/593 │ └───────────────┴──────────────────────────────────────────────────────────────┘

found 1 high severity vulnerability in 630 scanned packages run npm audit fix to fix 1 of them.

Nov 02 '18 00:11 mclark-newvistas

Given the other dependencies use ^ - can we safely just add the ^ to the serverless line? Ie, was that a deliberate ommission?

Nov 02 '18 00:11 mclark-newvistas