You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
First of all, great work on Ostrojs! But the http package makes use of a vulnerable version of busboy. The latest version is 1.6.0 and the vulnerability is solved in 1.0.0.
# npm audit report
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
@ostro/http *
Depends on vulnerable versions of busboy
node_modules/@ostro/http
@ostro/foundation *
Depends on vulnerable versions of @ostro/http
node_modules/@ostro/foundation
@ostro/framework *
Depends on vulnerable versions of @ostro/foundation
Depends on vulnerable versions of @ostro/http
node_modules/@ostro/framework
Hi,
First of all, great work on Ostrojs! But the
http
package makes use of a vulnerable version ofbusboy
. The latest version is1.6.0
and the vulnerability is solved in1.0.0
.More info:
mscdex/busboy#250 (comment)
# npm list busboy @ostro/ostro@1.0.1 └─┬ @ostro/framework@1.0.0 └─┬ @ostro/http@1.0.4 └── busboy@0.3.1
Is it possible to update the dependency?
Thank you!
The text was updated successfully, but these errors were encountered: