nsp check reports security vulnerabilities related to mosca 1.1.3

[faif]

ponte version: 0.0.16

nsp check reports the following 3 vulnerabilities:

Regular Expression Denial of Service
[email protected] > [email protected]
https://nodesecurity.io/advisories/55

DoS due to excessively large websocket message
[email protected] > [email protected] > [email protected]
https://nodesecurity.io/advisories/120

Remote Memory Disclosure
[email protected] > [email protected] > [email protected]
https://nodesecurity.io/advisories/67

[chombium]

Hi @faif,

thanks for taking time to check the security of Ponte and reporting these issues.

We are currently working on updating the dependencies and refactoring Ponte to work with the latest version of node #28, #29, #30. The latest version of Mosca is 2.2.0, so maybe these issues have been already solved. After this is finished we will run the tests again...
There is a suggestion that we replace Mosca with Aedes #32

Maybe we can add "nsp check" to the pre-commit hooks as well...

Best Regards,
Jovan

[chombium]

Hi @faif,

with the last merge in the master branch #41 this issue should be solved.
Can you please checkout the code from the master branch, retest and if everything is good close this issue.

Best Regards,
Jovan

[faif]

@chombium Looks good now, nice 👍