-
-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update request dependency #1452
Comments
From the report:
Seems like Bower as a CLI tool should be safe for now. Leaving this issue open until the dependency is updated. |
Use case: I use Bower being behind on updating dependencies causes grunt tasks to fail, and subsequently fire and brimstone. $ git clone git@github.com:bower/bower.git .
$ npm install
$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json
$ nsp shrinkwrap
Name Installed Patched Vulnerable Dependency
qs 0.6.6 >= 1.x bower > bower-registry-client > request
qs 0.6.6 >= 1.x bower > bower-registry-client > request
qs 0.5.6 >= 1.x bower > grunt-contrib-watch > tiny-lr-fork
qs 0.5.6 >= 1.x bower > grunt-contrib-watch > tiny-lr-fork
qs 0.6.6 >= 1.x bower > insight > request
qs 0.6.6 >= 1.x bower > insight > request
qs 0.6.6 >= 1.x bower > request
qs 0.6.6 >= 1.x bower > request |
@vladikoff There may be more. I'll check the bower-registry-client and grunt-contrib-watch, and insight repos as well and see if they've updated as well so you can bump those dependencies. :oyvey: It looks like you have a few outdated modules, but none of them seem to be affected by the recent $ npm shrinkwrap --dev
wrote npm-shrinkwrap.json
$ nsp shrinkwrap
Name Installed Patched Vulnerable Dependency
qs 0.6.6 >= 1.x bower > bower-registry-client > request
qs 0.6.6 >= 1.x bower > bower-registry-client > request
qs 0.5.6 >= 1.x bower > grunt-contrib-watch > tiny-lr-fork
qs 0.5.6 >= 1.x bower > grunt-contrib-watch > tiny-lr-fork
qs 0.6.6 >= 1.x bower > insight > request
qs 0.6.6 >= 1.x bower > insight > request
qs 0.6.6 >= 1.x bower > request
qs 0.6.6 >= 1.x bower > request
$ npm outdated --depth 0 | sort
Package Current Wanted Latest Location
decompress-zip 0.0.6 0.0.6 0.0.8 decompress-zip
fstream 0.1.31 0.1.31 1.0.1 fstream
fstream-ignore 0.0.6 0.0.6 1.0.1 fstream-ignore
handlebars 1.3.0 1.3.0 2.0.0-alpha.4 handlebars
istanbul 0.2.16 0.2.16 0.3.0 istanbul
mocha 1.20.1 1.20.1 1.21.4 mocha
nock 0.41.0 0.41.0 0.44.0 nock
opn 0.1.2 0.1.2 1.0.0 opn
request 2.36.0 2.36.0 2.40.0 request
semver 2.3.2 2.3.2 3.0.1 semver
tar 0.1.20 0.1.20 1.0.0 tar
tmp 0.0.23 0.0.23 0.0.24 tmp |
Link to bower/registry-client#12 |
Link to mklabs/tiny-lr#54 |
Link to yeoman/insight#25 |
Re: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
You may want to bump your request dependency to ~2.40.0 in package.json:49.
The text was updated successfully, but these errors were encountered: