Vulnerability in dependencies

[ghengeveld]

As reported by Snyk via snyk test npm-check-updates:

✗ Vulnerability found on semver@2.3.2
Info: https://app.snyk.io/vuln/npm:semver:20150403
From: npm-check-updates@2.3.4 > bower@^1.5.3 > semver@^2.3.0
No direct dependency upgrade can address this issue.
Run `snyk protect -i` to patch this vulnerability
Alternatively, manually upgrade deep dependency semver@^2.3.0 to semver@4.3.2

✗ Vulnerability found on uglify-js@2.3.6
Info: https://app.snyk.io/vuln/npm:uglify-js:20150824
From: npm-check-updates@2.3.4 > bower@^1.5.3 > handlebars@^2.0.0 > uglify-js@~2.3
No direct dependency upgrade can address this issue.
Run `snyk protect -i` to patch this vulnerability
Alternatively, manually upgrade deep dependency handlebars@^2.0.0 to handlebars@4.0.0 (triggers upgrades to uglify-js@2.4.24)

Tested npm-check-updates for known vulnerabilities, found 2 vulnerabilities.

[raineorshine]

Hadn't heard of Snyk! Thanks! Will address next release.

[raineorshine]

Published in v2.4.0

[raineorshine]

Broke something for somebody in #136. I would love Snyk if it worked out of the box, but I can't get behind it if the postinstall script is breaking in certain environments. Maybe in the future it will be more stable.

Reverted in v2.4.1.

[ghengeveld]

I never suggested making Snyk part of ncu, just that you fix the vulnerabilities. 👍

[raineorshine]

Hi Gert. Thanks for clarifying! From what I can tell, since the vulnerabilities don't exist in any direct dependencies of ncu that I can upgrade myself, Snyk needs to patch the vulnerabilities in the deep dependency tree after every ncu install. This is why Snyk was added to ncu, to enable this per-install patching. Unfortunately, that is what caused ncu to break in certain environments. There is no way to fix the vulnerabilities otherwise.