Security issue #229
Description
The new npm audit feature, which alerts one to security warnings on dependencies, indicates a high risk denial of service issue with the dependency on saucelabs which had a bad version of https-proxy-agent as a dependency.
Also, the dependency on lodash before 4.17.5 was subject to prototype pollution, and grunt-saucelabs is relying upon this version in two ways:
- by relying on lodash as a direct dependency using the tilde (only accepting patch updates) above
4.13.1) . - by relying on requestretry (which relies on fg-lodash which relies on lodash) using the tilde (only accepting patch updates) above
1.9.0).
Upgrading to the latest versions should fix all of these issues. (There are a number of security issues when doing an audit against a local install of grunt-saucelabs, but the above are the only ones I'm seeing as a dependency.)
While I could submit a PR to upgrade these, I am getting errors when trying to run npm test, so I'm not sure whether upgrades would break anything.
I know you're not actively maintaining, @axemclion , but could you look into this both as it is security -related, and because I'm trying to get rid of the issues for the sake of IndexedDBShim as well?