Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update moment in our dependency graph to 2.19.3 #63

Closed
urbanslug opened this issue Mar 7, 2018 · 0 comments
Closed

Update moment in our dependency graph to 2.19.3 #63

urbanslug opened this issue Mar 7, 2018 · 0 comments
Assignees
@urbanslug

Comments

@urbanslug
Copy link
Collaborator

urbanslug commented Mar 7, 2018
edited

Patch our dependency graph in regards to https://nvd.nist.gov/vuln/detail/CVE-2017-18214

Our package-lock.json shows that in our dependency tree we depend on moment@2.19.1 however this version of moment has a known vulnerability as described moment/moment#4163

The packages depending on moment are those that botkit depends on specifically:

  • chrono-node
  • ink-docstrap
  • joi

Updating the version of botkit that we depend on could fix this but we might have to create issues under those specific packages.

Output from npm outdated currently is:

Package     Current  Wanted  Latest  Location
botkit        0.6.6   0.6.6  0.6.11  borq
i18next       9.1.0   9.1.0  10.5.0  borq
node-fetch    1.7.3   1.7.3   2.1.1  borq
@urbanslug urbanslug self-assigned this Mar 7, 2018
@urbanslug urbanslug changed the title Update in our dependency graph to 2.19.3 Update moment in our dependency graph to 2.19.3 Mar 7, 2018
@urbanslug urbanslug mentioned this issue Mar 7, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@urbanslug urbanslug

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@urbanslug