node-static package is vulnerable,How to bypass this dependency

[prim84]

Your question

node-static is dependent package for sitespeed /browsertime. But node-static is considered highly vulnerable, and our organization is not allowing us to download this dependency. Please refer the package health score from the URL below.

https://snyk.io/advisor/npm-package/node-static?_gl=1158ie5y_gcl_auMjI0NDY2MTE0LjE3MzM1MTA3NzQ._gaMTc1MjA5NDMyNi4xNzMzNTEwNzYw_ga_X9SH3KP7B4*MTczMzUxMDc2My4xLjEuMTczMzUxMDc3NC4wLjAuMA..

and Due to this we are not able to install it via NPM install command. Refer the exception . Is there a way to bypass the dependency and proceed.

X:>npm install -g [email protected] npm error code E404 npm error 404 Not Found - GET https://XXX-nprepo.XXX.com/artifactory/api/npm/fm-npm-auto-local/node-static npm error 404 npm error 404 'node-static@^0.7.11' is not in this registry. npm error 404 npm error 404 Note that you can also install from a npm error 404 tarball, folder, http url, or git url.

[soulgalore]

You can ping https://github.com/fqueze/usb-power-profiling and ask them to fix the dependency, then I can upgrade to the new version in Browsertime.

[prim84]

@fqueze @gmierz @canova @gw3583 @#5julienw. Please see the above comments from @soulgalore. Can you help fixing the dependency (node- static) package

[fqueze]

You can ping https://github.com/fqueze/usb-power-profiling and ask them to fix the dependency, then I can upgrade to the new version in Browsertime.

usb-power-profiling 1.5.0 no longer depends on node-static.

[prim84]

@soulgalore. usb-power-profiling contributors has replaced node-static package with serve-handler. Can you help with the new version of browertime.

[soulgalore]

This is fixed in https://github.com/sitespeedio/sitespeed.io/pull/4336 - let me do a sitespeed.io release later tonight.