You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Whitesource software flags my application because of this vulnerability.
I don't know why node-pre-gyp is bundled with the package, but I'm pretty sure you have a reason for it so I will not ask to get a clean grpc package, without bundleDependencies. But, would it be possible to re-publish a version of grpc with a later version of node-pre-gyp bundled with it ? This will result into a later version of request which will result in version 2.3.3 of `tough-cookie'.
Thanks.
The text was updated successfully, but these errors were encountered:
Good morning,
I am using
grpc
version 1.6.0 with NodeJS 6.9.x and a simplified dependency tree looks like this:The problem comes from the version of tough-cookie. There is a vulnerability in tough-cookie version 2.3.2: salesforce/tough-cookie#92. This vulnerability was fixed in 2.3.3 by salesforce/tough-cookie#97.
The Whitesource software flags my application because of this vulnerability.
I don't know why
node-pre-gyp
is bundled with the package, but I'm pretty sure you have a reason for it so I will not ask to get a clean grpc package, withoutbundleDependencies
. But, would it be possible to re-publish a version of grpc with a later version ofnode-pre-gyp
bundled with it ? This will result into a later version ofrequest
which will result in version 2.3.3 of `tough-cookie'.Thanks.
The text was updated successfully, but these errors were encountered: