out-of-date dependencies in npm package

Question

out-of-date dependencies in npm package

gorango opened this issue 4 years ago · 1 comments

Expected behavior

npm i feathers-mailer should fetch the latest dependencies (as defined in package):

"dependencies": {
  "debug": "^4.3.1",
  "nodemailer": "^6.6.0",
  "uberproto": "^2.0.6"
}

Actual behavior

The last update to the npm package was 3 years ago (npm version, git commit 5da0ebd) and fetches the following dependencies:

"dependencies": {
  "debug": "^3.1.0",
  "nodemailer": "^4.4.2",
  "uberproto": "^2.0.0"
}

The main reason for opening this issue is that npm is showing a command injection advisory for an old version of nodemailer when installing the package:

> npm install feathers-mailer
> npm audit
# npm audit report

nodemailer  <6.4.16
Severity: critical
Command Injection - https://npmjs.com/advisories/1708
No fix available
node_modules/nodemailer
  feathers-mailer  *
  Depends on vulnerable versions of nodemailer
  node_modules/feathers-mailer

2 critical severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

System configuration

Module versions: v3.0.1

NodeJS version: 14.14.0

Operating System: Ubuntu 20

Browser Version: N/A

Answer 1 · 2021-08-03T16:30:32.000Z

Update dependencies published in v3.1.0