0

I use gulp in my Node project and I was using gulp-nodemon for running nodemon within which in turn requires some dependencies which inturn requires dependencies and so on.

I was doing some security testing on my project using nsp and found out a vulnerability in my dependency brace-expansion and the resolution was to upgrade my package version to 1.1.7 or later: https://nodesecurity.io/advisories/338

The dependency tree is like this:

↳ gulp-nodemon 2.2.1 ↳ gulp 3.9.1 ↳ vinyl-fs 0.3.14 ↳ glob-stream 3.1.18 ↳ glob 4.5.3 ↳ minimatch 2.0.10 ↳ brace-expansion 1.1.6

So, how do I solve such problem cause, I guess I have to coordinate with all the people involved in the chain to fix this and some of them are inactive.

Is there any elegant way to fix these issues involved with chained dependencies?

Improve this question
0

1 Answer 1

Reset to default
0

Found an answer after digging a bit more.

How do I override nested NPM dependency versions?

Refer the above link for the solution.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.