npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

mime security advisory even when forcing latest version

I am not a npm senior but my understanding with some of these warnings is that I should try to force and update to latest version to get rid of them. After npm audit fix I still have

                   === npm audit security report ===                        
                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
      Visit for additional guidance           

Moderate Regular Expression Denial of Service

Package mime

Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3

Dependency of rework-npm-cli [dev]

Path rework-npm-cli > rework > mime

More info

found 1 moderate severity vulnerability in 24726 scanned packages
1 vulnerability requires manual review. See the full report for details.

I tried to install mime@2.4.4 to avoid this but I keep getting the warning when running npm audit fix. Any suggestions?

npm audit fix only does updates that are compatible with the specified ranges in the package.json of your package and each dependency. It follows the rules set by the authors.

rework-npm-cli has

    "rework": "~0.20.2"

That only allows 0.20.2 and 0.20.3, according to the semver calculator:

That version of rework has an exact version of mime it requires:

    "mime": "1.2.11",

So what do you do? There aren’t any magic fixes! Some high level options are:

It does not affect my app but i was hoping to clear the warning just for diligence.

Just another question, how do you establish the depencencies that are causing the problem correctly, ie

Dependency of rework-npm-cli [dev]

Path rework-npm-cli > rework > mime

Based on the above I would have expected to see mime in the depencencies tab here

Also if I go to the rework repo i do not see any github issue regarding the mime dependency.

A simple and direct way to see the details of the dependencies is looking at the package.json files in the node_modules folder, with reference to the chain of dependencies identified by npm audit. I didn’t have an install, so I looked at the github repos looking at the package.json for the old releases.

Based on the above I would have expected to see mime in the depencencies tab here

The latest version of rework does not depend on mime, it is used by the older version of rework specified by rework-npm-cli.