thanks for the bug reports @quahfamili - please feel free to add issues on our bug tracker here:
https://github.com/designcreateplay/NodeBB/issues
and we'll sort em out as soon as we can - thanks!
Security issue
-
When doing this, how to fix? @julian, can you update this for 1.11.x ??? ( 4 vulns involved breaking changes)
plz advize!git clone https://github.com/NodeBB/NodeBB.git ; cd NodeBB git checkout v1.11.x npm install --production npm audit fix up to date in 9.946s fixed 0 of 5 vulnerabilities in 4314 scanned packages 1 vulnerability required manual review and could not be updated 1 package update for 4 vulns involved breaking changes (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually) === npm audit security report === # Run npm install less@3.9.0 to resolve 4 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change Moderate Prototype pollution Package hoek Dependency of less Path less > request > hawk > boom > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of less Path less > request > hawk > cryptiles > boom > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of less Path less > request > hawk > hoek More info https://nodesecurity.io/advisories/566 Moderate Prototype pollution Package hoek Dependency of less Path less > request > hawk > sntp > hoek More info https://nodesecurity.io/advisories/566 Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance Low Regular Expression Denial of Service Package debug Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0 Dependency of socket.io-adapter-mongo Path socket.io-adapter-mongo > debug More info https://nodesecurity.io/advisories/534 found 5 vulnerabilities (1 low, 4 moderate) in 4314 scanned packages 4 vulnerabilities require semver-major dependency updates. 1 vulnerability requires manual review. See the full report for details. -
According to the issues here, this is a false positive and updating won't actually make the error go away. Annoying to say the least.
https://github.com/hapijs/hoek/issues?utf8=✓&q=is%3Aissue+Moderate+Prototype+pollution
-
@yariplus ok thanks. as long as it is safe
