found 1 moderate severity vulnerability

[pradiptadas115]

I can see an issue of " hubot-stackstorm" package installation :

root@bef5e65692ca:/myhubot# npm install hubot-stackstorm
npm WARN deprecated [email protected]: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)

• [email protected]
  added 27 packages from 61 contributors and audited 305 packages in 10.924s
  found 1 moderate severity vulnerability
  run npm audit fix to fix them, or npm audit for details
  root@bef5e65692ca:/myhubot# ^C
  root@bef5e65692ca:/myhubot# npm audit fix
  up to date in 1.29s
  fixed 0 of 1 vulnerability in 305 scanned packages
  1 vulnerability required manual review and could not be updated

[arm4b]

Thanks for the report,

It's caused by outdated dependencies we're using in https://github.com/StackStorm/st2client.js
Related PR that failed to update it: StackStorm/st2client.js#68

This is still a valid issue.

[arm4b]

Currently there are 2 security issues for hubot-stackstorm due to dependencies:

First is axios, which should be fixed in StackStorm/st2client.js#76, thanks to @bgaeddert

Second is lodash.template

[blag]

This issue is held up by hubot-slack, which still does not support coffeescript 2 at this point:

• Add compatibility for Coffeescript 2 (and hubot 3) slackapi/hubot-slack#565
• Revert "Add compatibility for Coffeescript 2 (and hubot 3)" slackapi/hubot-slack#594

I don't think this is a security issue, but this is not one of the devDependencies.

I documented this in the README for st2chatops, which is maybe not the best place for that information to live. 😆

[nmaludy]

Removing from 3.3.0 until upstream changes in hubot have been fixed.