npm high severity vulnerability

[kirkins]

Hello, I have a project with the http-static package. When I do npm install it tells me there is a vulnerability in my dependencies. Running audit show this project.

Looking at the npm site it seems this is only the possibility of a DDOS attack?

I'm only using this for a class and not production but I feel like the vulnerability message means I'll have to find another package even though http-static is working just fine.

Are there any plans to stop this error from showing up?

[jfhbrook]

the way to make this message go away is to convince the http-server people to upgrade to 4.1.2.

[kirkins]

Ah I see, I tried changing it to use 4.1.2 and it breaks. Guess I'll need to find a new package.

[jfhbrook]

"it breaks" is super vague

[kirkins]

Running npm test after upgrading to 4.1.2 causes 4 of their 25 tests to fail.

  When http-server is listening on 8080 When http-server is proxying from 8081 to 8080 it should serve files from the proxy server root directory and file content
    ✗ should match content of the served file 
        »        
        actual expected 
         
        hello, I know nodejitsu 
         // macros.js:14
  When http-server is listening on 8083 with username "good_username" and password "good_password" and the user requests an existent file with correct auth details and file content
    ✗ should match content of served file 
        »        
        actual expected 
         
        hello, I know nodejitsu 
         // macros.js:14
  When http-server is listening on 8080 it should serve files from root directory and file content
    ✗ should match content of served file 
        »        
        actual expected 
         
        hello, I know nodejitsu 
         // macros.js:14
  When gzip and brotli compression is enabled and a compressed file is available and a request accepting only gzip is made
    ✓ response should be gzip compressed
  When http-server is listening on 8080 When http-server is proxying from 8081 to 8080 it should fallback to the proxied server
    ✓ status code should be the endpoint code 200
  When http-server is listening on 8080 When http-server is proxying from 8081 to 8080 it should fallback to the proxied server and file content
    ✗ should match content of the proxied served file 
        »        
        actual expected 
         
        hello, I know nodejitsu 
         // macros.js:14

✗ Broken » 21 honored ∙ 4 broken (0.104s) 

[jfhbrook]

oh. http-server's tests aren't my problem.

[kirkins]

I don't care either, switching to https://github.com/lwsjs/local-web-server takes 5 minutes.

[thornjad]

We're working on those tests @kirkins, this is a major version upgrade for us, there's more to it than just upgrading the ecstatic dependency. http-party/http-server#520

[kirkins]

@thornjad I'll keep an eye out for that, been using http-server for many years now without problem.