mime security advisory even when forcing latest version

I am not a npm senior but my understanding with some of these warnings is that I should try to force and update to latest version to get rid of them. After npm audit fix I still have

                   === npm audit security report ===                        
                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance           

Moderate Regular Expression Denial of Service

Package mime

Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3

Dependency of rework-npm-cli [dev]

Path rework-npm-cli > rework > mime

More info https://npmjs.com/advisories/535

found 1 moderate severity vulnerability in 24726 scanned packages
1 vulnerability requires manual review. See the full report for details.

I tried to install mime@2.4.4 to avoid this but I keep getting the warning when running npm audit fix. Any suggestions?

npm audit fix only does updates that are compatible with the specified ranges in the package.json of your package and each dependency. It follows the rules set by the authors.

rework-npm-cli has

    "rework": "~0.20.2"

That only allows 0.20.2 and 0.20.3, according to the semver calculator: https://semver.npmjs.com

That version of rework has an exact version of mime it requires:

    "mime": "1.2.11",

So what do you do? There aren’t any magic fixes! Some high level options are:

  • evaluate the warning and decide it does not affect you
  • move to a using a different package
  • wait for or look for or make an updated version of the problem package
  • edit the local package.json and try specifying higher version (only works locally, does not work for publishing et al, may break package)

It does not affect my app but i was hoping to clear the warning just for diligence.

Just another question, how do you establish the depencencies that are causing the problem correctly, ie

Dependency of rework-npm-cli [dev]

Path rework-npm-cli > rework > mime

Based on the above I would have expected to see mime in the depencencies tab here

Also if I go to the rework repo i do not see any github issue regarding the mime dependency.

A simple and direct way to see the details of the dependencies is looking at the package.json files in the node_modules folder, with reference to the chain of dependencies identified by npm audit. I didn’t have an install, so I looked at the github repos looking at the package.json for the old releases.

Based on the above I would have expected to see mime in the depencencies tab here

The latest version of rework does not depend on mime, it is used by the older version of rework specified by rework-npm-cli.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.