I ran nsp on a project I'm about to deploy and i got this vulnerability
Name │ mime
CVSS │ 7.5 (High)
Installed │ 1.2.11
Vulnerable │ < 1.4.1 || > 2.0.0 < 2.0.3
Patched │ >= 1.4.1 < 2.0.0 || >= 2.0.3
Path │ myProject@1.0.0 > winston-s3@1.0.0 > winston@0.7.3 > request@2.16.6 > form-data@0.0.10 > mime@1.2.11
More Info │ https://nodesecurity.io/advisories/535
Now i understand that i need to update "mime" dependency but my problem is that the vulnerability is inside a dependency of a dependency of a dependency.
My 'winston-s3' dependency is up-to-date, when I'm going to 'node_modules/winston-s3/node_modules/winston/' there is no 'node_modules' directory and the "mime" dependency in the the main 'node_modules' directory is up-to-date so i guess that winston-s3 is not using this code.
Any idea how to fix this?
Thanks alot!