'grunt-retire' complaining about latest version of grunt-retire 0.3.6

[aslamj]

htmlparser2 3.8.2 has known vulnerabilities: fb55/htmlparser2#105
grunt-retire 0.3.6
↳ grunt-contrib-jshint 0.10.0
↳ jshint 2.5.10
↳ htmlparser2 3.8.2

[eoftedal]

Hmm. I can't reproduce this locally. In our printout it looks like grunt-retire has a direct dependency to htmlparser2, though I cannot find this in the manifest.json.

[phun-ky]

I could only find it in the grunt-contrib-jshint-module

[phun-ky]

Found it! (I think):

Searching 80 files for "htmlparser" (case sensitive)

C:\Users\QE1\Workspace\retire.js\repository\npmrepository.json:
  136     "vulnerabilities" : [ { "below" : "1.4.3", "info" : [ "https://github.com/punkave/sanitize-html/issues/29" ] } ]
  137   },  
  138:  "htmlparser2": {
  139:    "vulnerabilities" : [ { "below" : "3.8.3", "info" : [ "https://github.com/fb55/htmlparser2/issues/105" ] } ]
  140   },
  141   "sequelize-restful": {

2 matches in 1 file

[phun-ky]

Created issue at Jshint project to make them update the version in their package.json: jshint/jshint#2029

But as the maintainer of htmparser2 will not fix this any time soon, we will have to wait :/

[eoftedal]

Nice work, @phun-ky

[kozmic]

Quite funny issue, retire finds a vulnerability in its own dependencies by itself... omg! :) Nice work!

[phun-ky]

That's a thought. Should we have a continuous job for grunt-retire/retire to check for vulnerable dependencies? as a test suite on a CI plattform, i.e. Travis?

And if we do not have one (this is not quite related), a simple example in the readme on how to set up test cases for this?

[eoftedal]

Click me:

[phun-ky]

Woop woop! Very nice!