nsp fails notifme-sdk due to https://nodesecurity.io/advisories/534

Question

nsp fails notifme-sdk due to https://nodesecurity.io/advisories/534

mikiwiik opened this issue 7 years ago · comments

The current (1.4.0) notifme-sdk is caught by nsp due to https://nodesecurity.io/advisories/534

For sure, the root cause is node-gcm, but notifme-sdk get the nsp blame :-)
npm i nsp
nsp check --output summary

(+) 1 vulnerabilities found
Name Installed Patched Path More Info
debug 0.8.1 >= 2.6.9 < 3.0.0 || >= 3.1.0 notifme-sdk@1.4.0 > node-pushnotifications@1.0.18 > node-gcm@0.14.6 > debug@0.8.1 https://nodesecurity.io/advisories/534

David Brown · Answer 1 · Tue Oct 03 2017 21:04:20 GMT+0800 (China Standard Time)

The problem also comes from node-apn https://github.com/node-apn/node-apn/pull/595/files.
Thanks for the notice, I'll update as soon as a new version is available!

David Brown · Answer 2 · Wed Oct 04 2017 13:24:33 GMT+0800 (China Standard Time)

For reference: appfeel/node-pushnotifications#63

David Brown · Answer 3 · Tue Oct 10 2017 17:33:43 GMT+0800 (China Standard Time)

Seems to be alright now:

npx nsp check
(+) No known vulnerabilities found

Anyway I activated Greenkeeper to upgrade dependencies automatically (#26)