Andy Edwards

We'd like this as well, but I notice that since the `package.json` file has `^4.17.2` it should already be picking up the latest version of 4.17.* I'm more worried about...

https://github.com/swagger-api/swagger-node/issues/570 might be relevant. According to that, work is happening to bring the project back to life, so things like the failing Travis and these PRs might get addressed.

Another scenario is where Twistlock/Prisma scans of images that contain `resolve` report scan errors due to the malformed package.json files. In that case the scanner is hunting through the entire...

Could you elaborate on that a bit? Snyk have a PoC at https://snyk.io/vuln/SNYK-JS-STATICEVAL-1056765 ... ```js var evaluate = require('static-eval'); var parse = require('esprima').parse; var src="(function (x) { return `${eval(\"console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())\")}` })()"...

I fear you're right The CVE is "applicable", as the following command does not return in a timely manner... ``` node -e "const p=require('./index.js'); p.parse(\"

Just want to check what you mean above when you say > this node parser doesnt have vulns If I run the following snippet, it consumes a CPU at 100%...

Ah gotcha - thanks :smiley: