Update request dependency

[pdehaan]

Re: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking

You may want to bump your request dependency to ~2.40.0 in package.json:49.

[vladikoff]

From the report:

for example, in a web application, other requests would not be processed while this blocking is occurring.

Seems like Bower as a CLI tool should be safe for now. Leaving this issue open until the dependency is updated.

[pdehaan]

Use case: I use nsp shrinkwrap and grunt validate-shrinkwrap to check for things like, well, this.

Bower being behind on updating dependencies causes grunt tasks to fail, and subsequently fire and brimstone.

$ git clone git@github.com:bower/bower.git .
$ npm install
$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json

$ nsp shrinkwrap
Name  Installed  Patched  Vulnerable Dependency
qs      0.6.6     >= 1.x  bower > bower-registry-client > request
qs      0.6.6     >= 1.x  bower > bower-registry-client > request
qs      0.5.6     >= 1.x  bower > grunt-contrib-watch > tiny-lr-fork
qs      0.5.6     >= 1.x  bower > grunt-contrib-watch > tiny-lr-fork
qs      0.6.6     >= 1.x  bower > insight > request
qs      0.6.6     >= 1.x  bower > insight > request
qs      0.6.6     >= 1.x  bower > request
qs      0.6.6     >= 1.x  bower > request

Status: http://www.sadtrombone.com/?play=true

[pdehaan]

@vladikoff There may be more. I'll check the bower-registry-client and grunt-contrib-watch, and insight repos as well and see if they've updated as well so you can bump those dependencies. :oyvey:

It looks like you have a few outdated modules, but none of them seem to be affected by the recent qs business.

$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json

$ nsp shrinkwrap
Name  Installed  Patched  Vulnerable Dependency
qs      0.6.6     >= 1.x  bower > bower-registry-client > request
qs      0.6.6     >= 1.x  bower > bower-registry-client > request
qs      0.5.6     >= 1.x  bower > grunt-contrib-watch > tiny-lr-fork
qs      0.5.6     >= 1.x  bower > grunt-contrib-watch > tiny-lr-fork
qs      0.6.6     >= 1.x  bower > insight > request
qs      0.6.6     >= 1.x  bower > insight > request
qs      0.6.6     >= 1.x  bower > request
qs      0.6.6     >= 1.x  bower > request

$ npm outdated --depth 0 | sort
Package         Current  Wanted         Latest  Location
decompress-zip    0.0.6   0.0.6          0.0.8  decompress-zip
fstream          0.1.31  0.1.31          1.0.1  fstream
fstream-ignore    0.0.6   0.0.6          1.0.1  fstream-ignore
handlebars        1.3.0   1.3.0  2.0.0-alpha.4  handlebars
istanbul         0.2.16  0.2.16          0.3.0  istanbul
mocha            1.20.1  1.20.1         1.21.4  mocha
nock             0.41.0  0.41.0         0.44.0  nock
opn               0.1.2   0.1.2          1.0.0  opn
request          2.36.0  2.36.0         2.40.0  request
semver            2.3.2   2.3.2          3.0.1  semver
tar              0.1.20  0.1.20          1.0.0  tar
tmp              0.0.23  0.0.23         0.0.24  tmp

[pdehaan]

Link to bower/registry-client#12

[pdehaan]

Link to mklabs/tiny-lr#54

[pdehaan]

Link to yeoman/insight#25

[joskuijpers]

I made a PR that updates most dependencies. #1467
All the ones listed by @pdehaan, except request, semver & handlebars (see the PR message).