After adding nodemon to devDependencies on my node.js app, i get a Security Alert on GitHub:
moderate severity Vulnerable versions: < 1.2.2 Patched version: 1.2.2 There are high severity security vulnerabilities in two of ESLints dependencies: - acorn - minimist
The releases 1.8.3 and lower of svjsl (JSLib-npm) are vulnerable, but only if installed in a developer environment. A patch has been released (v1.8.4) which fixes these vulnerabilities.
Identifiers:
CVE-2020-7598 SNYK-JS-ACORN-559469 (doesn't have a CVE identifier)
My package.json :
{
"name": "web-server",
"version": "1.0.0",
"description": "",
"main": "app.js",
"scripts": {
"start": "node src/app.js",
"dev": "nodemon src/app.js -e js,hbs"
},
"keywords": [],
"author": "",
"license": "ISC",
"dependencies": {
"express": "^4.17.1",
"hbs": "^4.1.0"
},
"devDependencies": {
"nodemon": "^2.0.2"
}
}
I don't know exactly what should i do or should i provide more information/code about my app.
Github repo: https://github.com/badrddinb/simple-weather-website
The issue is that one of your dependencies depends on an outdated version of my library. You can either add "svjsl": "^1.8.4" to the "devDependencies" object, or set every occurrence of "svjsl" in the "package-lock.json" file to have a version of "^1.8.4" and an integrity of "sha512-U+RX1x7Tslxx68GAr1F9wBaRAjCA9cFliOSOvtWqVuVg0IRUdStsMYah/3Q8gluRomD/h3co7q4MYU62kTwzmA==".
It would also be a good idea to see which package depends on the outdated version and contact that package's author to tell them to update svjsl to a newer version.