iamvdo/pleeease-brunch

Upgrade package.json to use most recent pleeease and deep-extend

altmind opened this issue · 0 comments

altmind commented

I'm using pleeease-brunch most latest version.
npm audit show i'm affected by couple "Prototype pollution" moderate vulnerabilities.
I see the error comes from hoek and deep-extend packages, that are indirect and direct dependencies of pleeease-brunch.
Can you please upgrade pleeease-brunch to newest pleeeease and deep-extend, where, I suppose this problem is fixed?

npm audit:

  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pleeease-brunch [dev]

  Path            pleeease-brunch > pleeease > less > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pleeease-brunch [dev]

  Path            pleeease-brunch > pleeease > less > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pleeease-brunch [dev]

  Path            pleeease-brunch > pleeease > less > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   pleeease-brunch [dev]

  Path            pleeease-brunch > pleeease > less > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566


  Low             Prototype Pollution

  Package         deep-extend

  Patched in      >=0.5.1

  Dependency of   pleeease-brunch [dev]

  Path            pleeease-brunch > deep-extend

  More info       https://nodesecurity.io/advisories/612


  Low             Prototype Pollution

  Package         deep-extend

  Patched in      >=0.5.1

  Dependency of   pleeease-brunch [dev]

  Path            pleeease-brunch > pleeease > deep-extend

  More info       https://nodesecurity.io/advisories/612

found 6 vulnerabilities (2 low, 4 moderate) in 11320 scanned packages
  6 vulnerabilities require manual review. See the full report for details.