Audit error on serverless install (npm audit)


#1

When I run my npm install, I am seeing a security vulnerability on a serverless dependency:

RobWeaver:SharedDeployScripts robweaver$ npm audit fix
npm WARN TAPREST@1.0.0 No repository field.

updated 1 package in 3.329s
fixed 1 of 2 vulnerabilities in 1264 scanned packages
  1 vulnerability required manual review and could not be updated
RobWeaver:SharedDeployScripts robweaver$ npm audit 
                                                                            
                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │

└──────────────────────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ https-proxy-agent │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.2.0 │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless > https-proxy-agent │

├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/593

└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1264 scanned packages
1 vulnerability requires manual review. See the full report for details.


#2

The best place to report this is the Serverless Framework Github repo where development takes place.