parser icon indicating copy to clipboard operation
parser copied to clipboard

Published 20 hours ago • verified publisher icon postlight

Dependencies have vulnerabilities

Open Shepard opened this issue 1 year ago • 1 comments

  • Platform: Windows 10 64 bit
  • Mercury Parser Version: 2.2.1
  • Node Version (if a Node bug): v16.16.0

Expected Behavior

No vulnerabilities reported by npm audit / yarn audit.

Current Behavior

Audit reports a bunch of vulnerabilities in dependencies of mercury-parser:

5 vulnerabilities found - Packages audited: 168
Severity: 1 Low | 3 Moderate | 1 High

Steps to Reproduce

  1. Create a node project.
  2. yarn add @postlight/mercury-parser (You already get a bunch of warnings about outdated and deprecated libraries here.)
  3. yarn audit

Detailed Description

I'm trying to keep our software free of vulnerabilities in order to reduce security risks for customers. It is good practice in my mind to update dependencies regularly to avoid any such issues.

Possible Solution

Would be great if these dependencies could be updated or replaced with others where necessary.

Shepard avatar Sep 02 '22 13:09 Shepard

Thanks for noting this! I've just updated a lot of dependencies in #687. There's still one vulnerability listed for cheerio, which is both a critical piece of this project and one that is very hard to touch, in my experience. We have plans to come back to deal with cheerio soon.

johnholdun avatar Sep 08 '22 19:09 johnholdun