Upgrade deps with vulnerabilities
gcoombe opened this issue · comments
Graham Coombe commented
Forest-express has a few outdated deps which have some known vulnerabilities (mostly through the express version).
I think that the easiest way to see what should be updated is using nsp https://github.com/nodesecurity/nsp . You can just run this on the command line and it let's you know what issues exist.
$ nsp check --output summary
(+) 7 vulnerabilities found
Name Installed Patched Path More Info
debug 2.2.0 >= 2.6.9 < 3.0.0 || >= 3.1.0 forest-express@1.3.4 > body-parser@1.15.0 > debug@2.2.0 https://nodesecurity.io/advisories/534
debug 2.2.0 >= 2.6.9 < 3.0.0 || >= 3.1.0 forest-express@1.3.4 > express@4.14.0 > debug@2.2.0 https://nodesecurity.io/advisories/534
mime 1.3.4 >= 1.4.1 < 2.0.0 || >= 2.0.3 forest-express@1.3.4 > express@4.14.0 > send@0.14.1 > mime@1.3.4 https://nodesecurity.io/advisories/535
mime 1.3.4 >= 1.4.1 < 2.0.0 || >= 2.0.3 forest-express@1.3.4 > superagent@1.8.3 > mime@1.3.4 https://nodesecurity.io/advisories/535
fresh 0.3.0 >= 0.5.2 forest-express@1.3.4 > express@4.14.0 > fresh@0.3.0 https://nodesecurity.io/advisories/526
superagent 1.8.3 None forest-express@1.3.4 > superagent@1.8.3 https://nodesecurity.io/advisories/479
useragent 2.1.9 >=2.1.13 forest-express@1.3.4 > useragent@2.1.9 https://nodesecurity.io/advisories/312
Anyway it would be awesome to clean this up. We use nsp to check our dependencies on all our builds and we want to get to green :)
Arnaud Besnier commented
The new liana versions with upgraded dependencies have been released.
🌲🌲🌲