dyson dependencies fail npm security audit

Question

bsmithb2 opened this issue 6 years ago · comments

Hi,

dyson 2.0.0 has a fixed dependency on serve-favicon 2.4.3, which has a dependency on fresh 0.5.0.

Fresh versions prior to 0.52.0 have a audit vulnerability as discoverable with npm audit - https://nodesecurity.io/advisories/526

Is it possible to migrate to a version of serve-favicon greater or equal to 2.4.5? This will resolve the vulnerability.

Thanks!

Lars Kappert · Answer 1 · Fri Jun 29 2018 03:32:39 GMT+0800 (China Standard Time)

Updated dependencies in v2.0.1

Lauren Lewis · Answer 2 · Thu Jul 18 2019 16:48:32 GMT+0800 (China Standard Time)

Does the version need updating so it can be released to npm?

Lars Kappert · Answer 3 · Thu Jul 18 2019 17:03:41 GMT+0800 (China Standard Time)

No worries @lorilew, I use release-it for this :)