Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ws dos fix #321

Merged
merged 3 commits into from Aug 9, 2018
Merged

Ws dos fix #321

merged 3 commits into from Aug 9, 2018

Conversation

KSchreyer
Copy link
Contributor

This fixes a vulnerability in the used ws package. See https://www.npmjs.com/advisories/550 for more information.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 96.481% when pulling 79ace2f on KSchreyer:ws-dos-fix into d9307fa on lipp:master.

lipp
lipp approved these changes Aug 7, 2018
View reviewed changes
Copy link
Contributor

@lipp lipp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please double check package-lock.json

package-lock.json
"repeat-string": "1.6.1"
"kind-of": "^3.0.2",
"longest": "^1.0.1",
"repeat-string": "^1.5.2"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some deps require an older version now... is this intentional?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks strange at first sight, but it seems that npm has switched from exact version numbering to caret version ranges for the requires property. As far as I can say, this does not affect direct dependend packages (those explicitly stated in package.json). Otherwise the package-lock.json would be somehow useless.

So, in the above example "repeat-string": "^1.5.2" will also include "repeat-string": "1.6.1" automatically.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to some search results, it seems that this change was introduced with version 6 of npm.

@lipp lipp merged commit 9d6b9c1 into HBM:master Aug 9, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lipp lipp lipp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@KSchreyer @coveralls @lipp