I have a sample system called BowFolios that I maintain for my students. I have just updated it to the latest release of Meteor, and found two “high” vulnerabilities:
Here is my packages file:
# Meteor packages used by this project, one per line.
# Check this file (and the other files in this directory) into your repository.
#
# 'meteor add' and 'meteor remove' will edit this file for you,
# but you can also edit it by hand.
# Core packages for Meteor/React/Semantic UI
meteor-base@1.5.1 # Packages every Meteor app needs to have
mobile-experience@1.1.0 # Packages for a great mobile UX
mongo@1.16.7 # The database Meteor supports right now
reactive-var@1.0.12 # Reactive variable for tracker
standard-minifier-css@1.9.2 # CSS minifier run for production mode
standard-minifier-js@2.8.1
es5-shim@4.8.0 # ECMAScript 5 compatibility for older browsers
ecmascript@0.16.7 # Enable ECMAScript2015+ syntax in app code
# typescript@3.7.6 # Enable TypeScript syntax in .ts and .tsx modules
shell-server@0.5.0 # Server-side component of the `meteor shell` command
# autopublish@1.0.7 # Publish all data to the clients (for prototyping)
This file has been truncated. show original
Since this is a subdependency, a simple npm audit fix won’t fix it. What should I do?
Fixed it by comparing to the default app created by meteor. Needed to change package.json to:
"meteor-node-stubs": "^1.0.1",
Also discovered that react-addons-pure-render-mixin is not needed, so I simply deleted that package.
3 Likes