Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update tiny-lr #530

Closed
akoskm opened this issue Dec 22, 2016 · 3 comments
Closed

update tiny-lr #530

akoskm opened this issue Dec 22, 2016 · 3 comments

Comments

@akoskm
Copy link

akoskm commented Dec 22, 2016

The latest versions of tiny-lr aren't depending on body-parser anymore, can we update it to its latest version?

I'm willing to send a pull request but I was wondering if there's a reason behind going with 0.2.1.
mattcollier added a commit to digitalbazaar/grunt-contrib-watch that referenced this issue Jun 12, 2017
@mattcollier
Update tiny-lr dependency to 1.x
f07311b 
Fixes gruntjs#530 and also addresses https://snyk.io/vuln/npm:ms:20170412
because `tiny-lr@1` has eliminated its former `body-parser` dependency.
@mattcollier mattcollier mentioned this issue Jun 12, 2017
Merged
@dackmin
Copy link

dackmin commented Oct 30, 2017
edited
Loading

In addition to this, tiny-lr is still using debug#v2.6.7 which throws Low Vulnerability issues over at node-security (found here). Maybe we should wait for tiny-lr to be updated with a (already) patched version of debug before merging this PR (I created an issue on their repo) or replace tiny-lr with something else.

@dkomando
Copy link

Just ran a snyk security test to add to this:

`$ snyk test
✗ High severity vulnerability found on qs@5.1.0

  • desc: Prototype Override Protection Bypass
  • info: https://snyk.io/vuln/npm:qs:20170213
  • from: myApp > grunt-contrib-watch@1.0.0 > tiny-lr@0.2.1 > qs@5.1.0
    No direct dependency upgrade can address this issue.`

@mattcollier mattcollier mentioned this issue Nov 13, 2017
Closed
@plroebuck
Copy link

any progress? are there that many changes needed to migrate to current version of tiny-lr?

@brettz9 brettz9 mentioned this issue May 12, 2018
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dackmin @akoskm @dkomando @plroebuck