- Security risk: Medium
- Vulnerability: Remote Memory Exposure
Description
Remote memory exposure in nano@6.3.0. Nano was using package follow that has
2 packages with reported node security vulnerability. Packages are:
- request@2.55.0
- hawk@2.3.1
Our module
loopback-connector-couchdb2use the affected versions. Also,loopback-connector-cloudantusecouchdb2as a dependency so it could be affected as well.
Reported by
github user konrad-2013 on apache\couchdb-nano side.
Aidan Harbison on StrongLoop side
Versions affected
nano@6.4..0 and earlier.
Solution
Upgrade to nano 6.4.2 or later if your repository is using an outdated nano package.
Ensure that your application’s package.json has the following line:
"dependencies": {
...
"nano": "^6.4.2",
...
},
Then upgrade your project dependencies to use the latest version :
$ cd <app-root>
$ npm update