Vulnerabilities in dependencies

[rsp]

Both npm audit in projects using doxdox and the Snyk badge in it's readme show that this modules uses vulnerable versions of lodash and handlebars via its own dependencies:

My questions are:

• is this project still maintained?
• is someone aware of that and going to update dependencies?
• or if not, are you willing to accept PRs by someonbe who does?

@neogeek I see that you've done some updates to avoid snyk alerts last year but the HEAD of master shows "All checks have failed" on GitHub so I don't know if the master in a working state and I'm not sure that the latest changes are published to npm.

[neogeek]

is this project still maintained?

This is the state of an open source project that I promised myself that I would never let any of my projects reach, and yet I have. After finding game development I have definitely let my web-based open source projects fall behind. I aim to do better.

On that note, I plan on going through all of my open source projects, starting with doxdox and doxdox plugins, and updating all dependencies to make sure there no avoidable vulnerabilities.

Thank you for the issue and for using doxdox.

[Rudloff]

Any news on this?

doxdox 3.0.0 is affected by multiple vulnerabilites:

• https://www.npmjs.com/advisories/1065
• https://www.npmjs.com/advisories/782
• https://www.npmjs.com/advisories/577
• https://www.npmjs.com/advisories/1164
• https://www.npmjs.com/advisories/755

One part of the problem is that you use fixed version constraints instead of something like "handlebars": "^4.1.0", so users don't get security updates.

[neogeek]

The latest preview release ( v4.0.0-preview.1 ) of doxdox has resolved the above security issues.