Vulnerabilities in dependencies

[pilwon]

Bug report

2 Vulnerabilities found after npm install vuepress

+ vuepress@0.9.0
added 1184 packages from 655 contributors in 54.018s
[!] 2 vulnerabilities found [11060 packages audited]
    Severity: 2 High
    Run `npm audit` for more detail

Version

v0.9.0

Steps to reproduce

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-anchor > string                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-table-of-contents > string            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 2 vulnerabilities found - Packages audited: 11060 (11060 dev, 199 optional)
    Severity: 2 High

What is expected?

No error message after npm install vuepress

What is actually happening?

Vulnerabilities found in dependencies

Other relevant information

• Your OS: MacOS 10.13.4
• Node.js version: v8.11.1
• Browser version: n/a
• Is this a global or local install? local
• Which package manager did you use for the install? npm (v6.0.1)

[ulivz]

Thanks,

This should be fixed by string.js, and there has been a fixing pull request: jprichardson/string.js#217.

Hold this issue until this pull request is merged. for now you can use yarn.