[#32073] - [4] "1 moderate severity vulnerability" urijs
- Closed
- 13 Apr 2021
- Medium
- Build: staging
- # 32073
Steps to reproduce the issue
npm i
Expected result
No security issues
Actual result
node_modules/urijs
1 moderate severity vulnerability
To address all issues, run:
npm audit fix
urijs <=1.19.3
Severity: moderate
Hostname spoofing via backslashes in URL - https://npmjs.com/advisories/1595
System information (as much as possible)
macOS
Additional comments
npm audit fix fixes the problem but increments the lockfileVersion to 2 and touches almost every line so probably not what you want me to submit as a PR... maybe someone more experienced in npm can advise.
joomla-cms-bot
- | Title |
|
||||||
| Labels |
Added:
?
|
||||||
- We need a proper system to deal with these - they happen all the time and we shouldnt be doing this manually
- Its not audit fix that is changing it to lockfile 2 but your version of node
node -v = v15.6.0
I.e "up to date" :-)
Exactly but until this is changed
},
"engines": {
"node": ">=10.19",
"npm": ">=6.13.4"
},
Technically it's the npm version rather than node. npm 7 contains the new package lock (but is shipping with node 15 by default). If you swap back to the npm LTS version (6.14.11) then you'll get package v1. And yes indeed we should update package.json to stop people trying with npm 7 for now until npm 7 goes stable
my mistake confusing the node and npm as the cause
Fixed the package. I don't wanna upgrade my npm version to find out what breaks tonight having just merged the bs5 stuff. so leaving this open to cover that
Quy
- | Labels |
Added:
Information Required
|
||
This should be closed as it is resolved
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-04-13 23:47:44 |
| Closed_By | ⇒ | Quy |