Upgrade `open` dependency

Question

Upgrade `open` dependency

ryw opened this issue 5 years ago · 3 comments

open 0.0.5 is vulnerable https://www.npmjs.com/advisories/663 - fixed in any version >0.0.5

Answer 1 · 2020-05-27T08:07:20.000Z

Sure, though note bluebird has no dependencies and this is just a devDependency

Answer 2 · 2020-05-27T12:29:39.000Z

For some reason Twistlock (CVE scanner from Palo Alto Networks) is alerting this CVE on our API image, possibly it's coming from some other dependency - will re-check.
/cc @samblackk

Answer 3 · 2020-05-27T18:33:01.000Z

devDependency, closing.

Found this:

"The 'dependencies' and 'devDependencies' sections from package.json file may contain special metadata chars (~ and ^), which are picked up by Twistlock as part of the package version, causing these false positives. If using twistcli, these fields are evaluated when the -include-js-dependencies flag is set. These are also evaluated for images when the "Scan for vulnerable javascript package dependencies within images and functions" is toggled on." - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNXaCAO