I use gulp in my Node project and I was using gulp-nodemon for running nodemon within which in turn requires some dependencies which inturn requires dependencies and so on.
I was doing some security testing on my project using nsp and found out a vulnerability in my dependency brace-expansion and the resolution was to upgrade my package version to 1.1.7 or later: https://nodesecurity.io/advisories/338
The dependency tree is like this:
↳ gulp-nodemon 2.2.1
↳ gulp 3.9.1
↳ vinyl-fs 0.3.14
↳ glob-stream 3.1.18
↳ glob 4.5.3
↳ minimatch 2.0.10
↳ brace-expansion 1.1.6
So, how do I solve such problem cause, I guess I have to coordinate with all the people involved in the chain to fix this and some of them are inactive.
Is there any elegant way to fix these issues involved with chained dependencies?
