New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vulnerabilities found in dependencies #1623
Comments
I'm facing the same issue. ✗ Low severity vulnerability found in braces
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/npm:braces:20180219
Introduced through: browser-sync@2.26.3
From: browser-sync@2.26.3 > micromatch@2.3.11 > braces@1.8.5
✗ Medium severity vulnerability found in ua-parser-js
Description: Regular Expression Denial of Service (ReDoS)
Info: https://snyk.io/vuln/npm:ua-parser-js:20180227
Introduced through: browser-sync@2.26.3
From: browser-sync@2.26.3 > ua-parser-js@0.7.17
✗ Medium severity vulnerability found in chownr
Description: Time of Check Time of Use (TOCTOU)
Info: https://snyk.io/vuln/npm:chownr:20180731
Introduced through: browser-sync@2.26.3
From: browser-sync@2.26.3 > chokidar@2.0.4 > fsevents@1.2.4 > node-pre-gyp@0.10.0 > tar@4.4.1 > chownr@1.0.1 This is taken from a TravisCI build which also show up on GNU/Linux. |
In general these are no critical issues for the dev build on your side and solutions which are not using the vulnerable code in production. |
@DanielRuf True, but the output above is shown from a project that uses BrowserSync as a dependency so it's definitely a production matter. |
Not as |
@DanielRuf I would have used it as a let browserOn = server.app.get('browser') || process.env.BROWSER;
if (browserOn && cfg.opts.useHttps) {
require('browser-sync')({
proxy: `localhost:${cfg.port}`,
files: ['public/**/*.{js,css}']
});
} In a server file where I use an NPM script as follows: "browser": "BROWSER=true node ./bin/w3.js", But then, there's probably a better way which would avoid having to worry about the several vulnerabilities this package had since I started using it. |
fixed in 2.26.4 :) |
Issue details
snyk found some vulnerabilities in dependencies of browser-sync.
Steps to reproduce/test case
Run a snyk audit against the latest version of browser-sync.
Please specify which version of Browsersync, node and npm you're running
Affected platforms
Browsersync use-case
The text was updated successfully, but these errors were encountered: