Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Bug: Remove gulp-wiredep dependency #1398

Closed
lirantal opened this issue Jul 14, 2016 · 3 comments
Closed

Bug: Remove gulp-wiredep dependency #1398

lirantal opened this issue Jul 14, 2016 · 3 comments
Assignees
@lirantal
Labels
issue:bug issue:security need:pr_required platform:build
Milestone
0.5.0

Comments

@lirantal
Copy link
Member

nsp reports gulp-wiredep as problematic due to dependencies which are out of date and are subject to RegEx attacks. That plugin is anyway another leftpad so we really need to take it out of our build system in gulp.

image
@lirantal lirantal self-assigned this Jul 14, 2016
@lirantal lirantal added this to the 0.5.0 milestone Jul 14, 2016
@lirantal
Copy link
Member Author

A couple of suggestions for the upcoming PR:

  1. Use the native wiredep library that is compatible with gulp's stream system
  2. Use gulp-inject

@lirantal lirantal mentioned this issue Jul 17, 2016
Merged
@shanavas786
Copy link
Contributor

nsp reports lot more.

Regular Expression Denial of Service
Name minimatch
Installed 2.0.10
Vulnerable <=3.0.1
Patched >=3.0.2
Path [email protected] > [email protected] > forever-monitor…
More Info https://nodesecurity.io/advisories/118
Regular Expression Denial of Service
Name minimatch
Installed 2.0.10
Vulnerable <=3.0.1
Patched >=3.0.2
Path [email protected] > [email protected] > [email protected]
More Info https://nodesecurity.io/advisories/118
Regular Expression Denial of Service
Name minimatch
Installed 0.3.0
Vulnerable <=3.0.1
Patched >=3.0.2
Path [email protected] > [email protected] > [email protected] > mini…
More Info https://nodesecurity.io/advisories/118
DoS due to excessively large websocket message
Name ws
Installed 1.1.0
Vulnerable <=1.1.0
Patched >=1.1.1
Path [email protected] > [email protected] > [email protected].…
More Info https://nodesecurity.io/advisories/120
Regular Expression Denial of Service
Name negotiator
Installed 0.4.9
Vulnerable <= 0.6.0
Patched >= 0.6.1
Path [email protected] > [email protected] > [email protected].…
More Info https://nodesecurity.io/advisories/106
DoS due to excessively large websocket message
Name ws
Installed 1.0.1
Vulnerable <=1.1.0
Patched >=1.1.1
Path [email protected] > [email protected] > socket.io-clie…
More Info https://nodesecurity.io/advisories/120
Regular Expression Denial of Service
Name uglify-js
Installed 2.4.24
Vulnerable <2.6.0
Patched >=2.6.0
Path [email protected] > [email protected] > [email protected]
More Info https://nodesecurity.io/advisories/48

@lirantal
Copy link
Member Author

Indeed. There are some issues I already opened in the past regarding swig, and file-stream-rotator. Let's focus on the wiredep dependency in this PR.

shanavas786 added a commit to shanavas786/mean that referenced this issue Jul 22, 2016
@shanavas786
Fix(gulp): use wiredep instead of gulp-wiredep
375e762 
Fixes meanjs#1398
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lirantal lirantal

Labels
issue:bug issue:security need:pr_required platform:build
Projects
None yet
Milestone
0.5.0
Development

No branches or pull requests
2 participants
@lirantal @shanavas786