Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nsp reports potentially bad version of connect used by karma #1295

Closed
pdehaan opened this issue Jan 30, 2015 · 2 comments
Closed

nsp reports potentially bad version of connect used by karma #1295

pdehaan opened this issue Jan 30, 2015 · 2 comments

Comments

@pdehaan
Copy link

pdehaan commented Jan 30, 2015

Steps to reproduce:

$ git clone git@github.com:karma-runner/karma.git .
$ npm i
$ npm shrinkwrap --dev
$ nsp audit-shrinkwrap # [sudo] npm i nsp -g

Actual results:

$ nsp audit-shrinkwrap

Name          Installed   Patched  Vulnerable Dependency
serve-static    1.6.4     >=1.7.2  karma > connect
qs              0.5.6     >= 1.x   karma > grunt-contrib-watch > tiny-lr-fork
qs              0.5.6     >= 1.x   karma > grunt-contrib-watch > tiny-lr-fork
syntax-error    0.0.1    >= 1.1.1  karma > grunt-cucumberjs > cucumber > browserify

I think this is the serve-static issue in question: https://nodesecurity.io/advisories/serve-static-open-redirect (fixed in serve-static@>=1.7.2) which seems to be fixed in newer versions of connect@2.28.0 and later.

@pdehaan
Copy link
Author

pdehaan commented Jan 30, 2015

And since I'm already posting, here's all the "outdated" modules, per npm outdated command:

$ npm outdated --depth 0 | sort
Package               Current     Wanted  Latest  Location
chai                    1.9.2      1.9.2  1.10.0  chai
chokidar               0.12.6  1.0.0-rc2  0.12.6  chokidar
coffee-script           1.7.1      1.7.1   1.9.0  coffee-script
colors                  0.6.2      0.6.2   1.0.3  colors
connect                2.26.6     2.26.6   3.3.4  connect
glob                   3.2.11     3.2.11   4.3.5  glob
graceful-fs             2.0.3      2.0.3   3.0.5  graceful-fs
grunt-browserify        2.1.4      2.1.4   3.3.0  grunt-browserify
grunt-contrib-jshint   0.10.0     0.10.0  0.11.0  grunt-contrib-jshint
grunt-jscs-checker      0.6.2      0.6.2   0.8.1  grunt-jscs-checker
http-proxy             0.10.4     0.10.4   1.8.1  http-proxy
karma-jasmine           0.1.5      0.1.5   0.3.5  karma-jasmine
LiveScript              1.2.0      1.2.0   1.3.1  LiveScript
load-grunt-tasks        0.6.0      0.6.0   3.1.0  load-grunt-tasks
lodash                  2.4.1      2.4.1   3.0.0  lodash
minimatch              0.2.14     0.2.14   2.0.1  minimatch
mkdirp                  0.3.5      0.3.5   0.5.0  mkdirp
mocha                  1.20.1     1.20.1   2.1.0  mocha
q                       0.9.7      0.9.7   1.1.2  q
sinon                  1.10.3     1.10.3  1.12.2  sinon
sinon-chai              2.5.0      2.5.0   2.6.0  sinon-chai
socket.io              0.9.16     0.9.16   1.3.2  socket.io
source-map             0.1.43     0.1.43   0.2.0  source-map
useragent              2.0.10     2.0.10   2.1.5  useragent

@dignifiedquire
Copy link
Member

Thanks, closing in favor of #1410 which is tracking these upgrades

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants