loopback-component-storage
loopback-component-storage copied to clipboard
strongloop
chore: update dependency
Update the dependencies:
Solution is from https://github.com/ppproxy/loopback-component-storage/commit/1ab25b68910b37bf0dd2db697ec363a804483e8a
The vulnerability package path is: [email protected] › [email protected] › [email protected] › [email protected] › [email protected]
While liboneandone is not maintained anymore, more discussion see https://github.com/pkgcloud/pkgcloud/issues/644, https://github.com/pkgcloud/pkgcloud/issues/675, https://github.com/pkgcloud/pkgcloud/pull/671
Should fix the vulnerability, see the installation message:
jannyHous-MacBook-Pro:loopback-component-storage jannyhou$ npm i
npm WARN deprecated [email protected]: Please note that v5.0.1+ of superagent removes User-Agent header by default, therefore you may need to add it yourself (e.g. GitHub blocks requests without a User-Agent header). This notice will go away with v5.0.2+ once it is released.
> [email protected] postinstall /Users/jannyhou/Desktop/2019/snyk/loopback-component-storage/node_modules/ejs
> node ./postinstall.js
Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)
npm WARN [email protected] requires a peer of eslint@^2.0.0 || ^3.0.0 || ^4.0.0 but none is installed. You must install peer dependencies yourself.
added 455 packages from 855 contributors and audited 2594 packages in 34.911s
found 0 vulnerabilities
Chatted with @raymondfeng , the best solution would be a new release of https://github.com/1and1/oneandone-cloudserver-sdk-nodejs
I contacted the author in https://github.com/1and1/oneandone-cloudserver-sdk-nodejs/issues/21#issuecomment-574834558, will wait and see if we can use the new release.
Hey all, I really appreciate all the work that has gone into this package to make Strongloop/Loopback a viable framework.
I'm hoping that this can be merged in sometime soon as I continue to get critical and high warnings via npm audit when it seems like this branch resolves these warnings.
Again, I appreciate all the work! Thanks in advance.
To those who are concerned, we did the analysis and concluded that the reported vulnerability was transitively from an older version of mocha. No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.
We understand the alerts are annoying. We have tried to get it fixed by upstream modules but no success so far. It's a bit frustrating. We'll see if we have to fork the offending modules and release them under new names.
@raymondfeng I'd like some help with https://github.com/strongloop/loopback-component-storage/issues/237 Not sure if I should open a new one.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Is there any update on this? I know that the dependency is not being used, but, the critical thing is very annoying.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Just checked the comment @jannyHou posted above: https://github.com/1and1/oneandone-cloudserver-sdk-nodejs/issues/21#issuecomment-574834558, there's no progress from there.
In the meanwhile, please take a look at @raymondfeng's comment:
No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.