Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Vulnerable version of node-notifier in dependency tree
See original GitHub issueI got a security notice for node-notifier in my project that uses tsdx@0.14.0 (see screenshot below)
This is the output of npm ls node-notifier:
➜ npm ls node-notifier
└─┬ tsdx@0.14.1
└─┬ jest@25.5.4
└─┬ @jest/core@25.5.4
└─┬ @jest/reporters@25.5.1
└── node-notifier@6.0.0
Looks like updating the version of jest to 26.0.0 would fix this issue
Screenshot
Issue Analytics
- State:
- Created 3 years ago
- Reactions:7
- Comments:6 (2 by maintainers)
Top Results From Across the Web
Vulnerable version of node-notifier in dependency tree #949
I got a security notice for node-notifier in my project that uses tsdx@0.14.0 (see screenshot below) This is the output of npm ls ......
Read more >node-notifier@8.0.0 - Snyk Vulnerability Database
A Node.js module for sending notifications on native Mac, Windows (post and pre 8) and Linux (or Growl as fallback) · latest version....
Read more >Fixing security vulnerabilities in npm dependencies in less ...
In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm...
Read more >How to update npm nested (vulnerable) dependency?
Fix it yourself: Fork the repository and update the dependency in this copy. You can then refer to the package in your package.json...
Read more >Security Vulnerability of Dependencies for Node.js App ...
2. Vulnerability Detection ... Use 'npm audit' to scan your Node.js app and detect any security vulnerability. To use it, you must upgrade...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks for reporting this, I see the same issue here. I’m not sure if the vulnerable code path actually affects us though.
Unfortunately that is easier said than done given that it would require a breaking change.
The patch in
node-notifieris quite small, so I would think that would be simple to backport to v6 as well.Jest 26 was also vulnerable until a backport was made for v8.
Gotcha. Thanks @karlhorky! And appreciate the quick response! 🙏🏼