NPM audit reports 2 vulnerabilities

[forever14k]

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Cryptographically Weak PRNG                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ randomatic                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-load-plugins [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-load-plugins > findup-sync > micromatch > braces >      │
│               │ expand-range > fill-range > randomatic                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/157                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Cryptographically Weak PRNG                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ randomatic                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-load-plugins [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-load-plugins > micromatch > braces > expand-range >     │
│               │ fill-range > randomatic                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/157                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Is there any chance for updating vulnerable dependencies?
Thanks in advance.

[callumacrae]

npm audit is a bit eager with this stuff, this isn't an issue

1. you shouldn't be running gulp in production and you definitely shouldn't be doing it anywhere users have access to it

2. micromatch isn't using randomatic for cryptography so there's no vulnerability there anyway

3. this isn't an issue in randomatic either apparently: Cryptographically Weak PRNG jonschlinkert/randomatic#15

[puggan]

npm audit have changed it warnings to recomendate: braces >=2.3.1
so instead of
gulp-load-plugins > micromatch > braces > expand-range > fill-range > randomatic
it now just says:
gulp-load-plugins > micromatch > braces

So the problems now is:
gulp-load-plugins > micromatch > braces
gulp-load-plugins@1.5.0 -> micromatch: ^2.3.8
micromatch@2.3.11 -> braces: ^1.8.2
not braces >=2.3.1

gulp-load-plugins > findup-sync > micromatch > braces
gulp-load-plugins@1.5.0 -> findup-sync: ^0.4.0
findup-sync@0.4.3 -> micromatch: ^2.3.7
micromatch@2.3.11 -> braces: ^1.8.2
not braces >=2.3.1

and it looks like they are fixed in #138

[jameelmoses]

As noted above, this was resolved with #138. Closing now. Will work on updating deprecated packages in the next release.