Closed
Description
See:
- https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking,
- https://nodesecurity.io/advisories/qs_dos_memory_exhaustion, and
- https://nodesecurity.io/advisories/send-directory-traversal
Steps to reproduce:
$ git clone https://github.com/broccolijs/broccoli.git .
$ npm install
npm WARN deprecated static-favicon@1.0.2: use serve-favicon module
$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json
$ # sudo npm i nsp -g
$ nsp audit-shrinkwrap
Name Installed Patched Vulnerable Dependency
qs 0.6.6 >= 1.x broccoli > connect
send 0.3.0 >= 0.8.4 broccoli > connect > serve-static
qs 0.5.6 >= 1.x broccoli > tiny-lr
$ npm outdated --depth 0
Package Current Wanted Latest Location
connect 2.14.5 2.14.5 3.2.0 connect
handlebars 1.3.0 1.3.0 2.0.0 handlebars
jshint 2.3.0 2.3.0 2.5.6 jshint
tiny-lr 0.0.5 0.0.5 0.1.4 tiny-lr
$ travis-lint # http://lint.travis-ci.org/broccolijs/broccoli
$ # sudo npm i pjv -g
$ pjv -wr
{ valid: true,
warnings:
[ 'Missing recommended field: keywords',
'Missing recommended field: bugs',
'Missing recommended field: contributors' ],
recommendations:
[ 'Missing optional field: homepage',
'Missing optional field: engines' ] }Metadata
Assignees
Labels
No labels