Node security platform reporting vulnerability in lasso > send > mime dependency

[gunjam]

Running nsp check on my project (which uses lasso) I get the following output:

┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Regular Expression Denial of Service                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ mime                                                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 7.5 (High)                                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 1.3.4                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ < 1.4.1 || > 2.0.0 < 2.0.3                                         │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ >= 1.4.1 < 2.0.0 || >= 2.0.3                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ agent-frontend@0.0.1 > lasso@3.1.2 > send@0.13.2 > mime@1.3.4      │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/535                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

Is it possible to update to a later version of send which in turn uses a non vulnerable version of mime? The latest version of send, for example, uses mime 1.4.1 which should be fine.

While I'm sure this probably isn't cause any real issues, it is causing concern for certain people in my office 😅

Ta.

[joshgarde]

Bump; after updating node & npm, npm is now yelling at me too.