Known vulberabilites

[adrbogacz]

Swagger node runner contains 2 know vulnerabilities in different dependence package, is any plan to use
newer version of that packages?

[theganyo]

What are you referring to?

[adrbogacz]

https://github.com/nodesecurity/nsp
I check my project with this tool and its report that you are using outdated debug package version with know vulnerability:
https://nodesecurity.io/advisories/534

Additional some of Your dependencies also includes reported vulnerabilities.

[GreensterRox]

Hello I have the same issue,

I'm using Swagger https://www.npmjs.com/package/swagger which in turn uses swagger-connect version 0.1.0.

As I understand it swagger-connect is just a wrapper for this project swagger-node-runner.

When I use nsp: https://www.npmjs.com/package/nsp . it gives me the following vulnerabilities:

• [email protected] > [email protected] > [email protected] > [email protected]

• https://nodesecurity.io/advisories/536

• [email protected] > [email protected] > [email protected] > [email protected]

• https://nodesecurity.io/advisories/479

• [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

• https://nodesecurity.io/advisories/535

• [email protected] > [email protected] > [email protected] > [email protected] > [email protected]

• https://nodesecurity.io/advisories/534

Any ideas how I can remove these vulnerabilities ?

Thanks !

[theganyo]

Yes. I suggest you upgrade. swagger-connect 0.1.0 is ancient, the current version is 0.7.0. The readme of this repo has information as to upgrading to a more modern version.

[GreensterRox]

Thank you for your response, if this version is so old, any ideas why it is being used as the default version when I run Swagger create project ?

[theganyo]

That's a good question, but one I can't properly answer. Here is the repo for that project: https://github.com/swagger-api/swagger-node. Perhaps they'd like help updating their templates to a recent version.