I clone the electron-api-demos repository:
$ git clone https://github.com/electron/electron-api-demos
$ cd electron-api-demos
And when I install the packages with npm install, npm warns me about 5 vulnerabilities and advises me to fix them with npm audit fix.
I run the fix command and witness that 4 of them are fixed, except one, which demands my manual review:
$ npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of check-for-leaks [dev]
Path check-for-leaks > anymatch > micromatch > braces
More info https://nodesecurity.io/advisories/786
found 1 low severity vulnerability in 2259 scanned packages
1 vulnerability requires manual review. See the full report for details.
So the problem is with braces package:
$ npm list braces
electron-api-demos@2.0.2 D:\Code\electron-api-demos
`-- check-for-leaks@1.2.0
`-- anymatch@1.3.2
`-- micromatch@2.3.11
`-- braces@1.8.5 <-----------
$ npm show braces version
3.0.2
Hooray! If I just update this package, I can get rid of this "low severity vulnerability," which is bugging me for life.
But the problem is that I don't directly depend on this package, so I can't just use "braces": "^2.3.1" (or "braces": "^3.0.2").
I wanted to know who's fault this is;
$ npm show check-for-leaks version
1.2.0
I checked check-for-leaks's GitHub page, and I can see that they're using "anymatch": "^1.3.0", and if I run:
$ npm show anymatch version
3.0.1
I can see that they're not using the updated version of anymatch.
The repository's latest commit is for 2 years ago! So I don't suppose submitting an issue will resolve this problem any time soon.
My question: How can I update this package without resorting to "ugly hacks"?
