Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

node-static package is vulnerable,How to bypass this dependency #4330

Open
prim84 opened this issue Dec 6, 2024 · 5 comments
Open

node-static package is vulnerable,How to bypass this dependency #4330

prim84 opened this issue Dec 6, 2024 · 5 comments

Comments

@prim84
Copy link

prim84 commented Dec 6, 2024

Your question

node-static is dependent package for sitespeed /browsertime. But node-static is considered highly vulnerable, and our organization is not allowing us to download this dependency. Please refer the package health score from the URL below.

https://snyk.io/advisor/npm-package/node-static?_gl=1*158ie5y*_gcl_au*MjI0NDY2MTE0LjE3MzM1MTA3NzQ.*_ga*MTc1MjA5NDMyNi4xNzMzNTEwNzYw*_ga_X9SH3KP7B4*MTczMzUxMDc2My4xLjEuMTczMzUxMDc3NC4wLjAuMA..

and Due to this we are not able to install it via NPM install command. Refer the exception . Is there a way to bypass the dependency and proceed.

X:>npm install -g sitespeed.io@35.2.0
npm error code E404
npm error 404 Not Found - GET https://XXX-nprepo.XXX.com/artifactory/api/npm/fm-npm-auto-local/node-static
npm error 404
npm error 404 'node-static@^0.7.11' is not in this registry.
npm error 404
npm error 404 Note that you can also install from a
npm error 404 tarball, folder, http url, or git url.

@soulgalore
Copy link
Member

You can ping https://github.com/fqueze/usb-power-profiling and ask them to fix the dependency, then I can upgrade to the new version in Browsertime.

@prim84
Copy link
Author

prim84 commented Dec 9, 2024

@fqueze @gmierz @canova @gw3583 @#5julienw. Please see the above comments from @soulgalore. Can you help fixing the dependency (node- static) package

@fqueze
Copy link

fqueze commented Dec 11, 2024

You can ping https://github.com/fqueze/usb-power-profiling and ask them to fix the dependency, then I can upgrade to the new version in Browsertime.

usb-power-profiling 1.5.0 no longer depends on node-static.

@prim84
Copy link
Author

prim84 commented Dec 11, 2024

@soulgalore. usb-power-profiling contributors has replaced node-static package with serve-handler. Can you help with the new version of browertime.

@soulgalore
Copy link
Member

This is fixed in #4336 - let me do a sitespeed.io release later tonight.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants