Update validator and request dependencies

[pdehaan]

See:

• https://nodesecurity.io/advisories/validator_XSS_Filter_Bypass_via_Encoded_URL
• https://nodesecurity.io/advisories/validator_multiple_xss_filter_bypasses
• https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
• https://nodesecurity.io/advisories/qs_dos_memory_exhaustion

(I believe the qs issues were fixed in [email protected])

---

Here was my full install log:

$ git clone https://github.com/freewil/express-form.git .

$ npm install

$ npm shrinkwrap --dev
wrote npm-shrinkwrap.json

$ # sudo npm i nsp -g
$ nsp audit-shrinkwrap
Name       Installed   Patched  Vulnerable Dependency
qs           0.6.6     >= 1.x   express-form > request
qs           0.6.6     >= 1.x   express-form > request
validator    0.4.28    >=2.0.0  express-form
validator    0.4.28   >= 1.1.0  express-form

$ npm outdated --depth 0
Package    Current  Wanted  Latest  Location
async        0.7.0   0.7.0   0.9.0  async
mocha       1.18.2  1.18.2   2.0.1  mocha
request     2.34.0  2.34.0  2.47.0  request
validator   0.4.28  0.4.28  3.22.0  validator

$ travis-lint # http://lint.travis-ci.org/freewil/express-form

$ # sudo npm i package-json-validator -g
$ pjv -wr
package.json is NOT valid
{ valid: false,
  errors:
   [ 'Email not valid for author: @dandean',
     'Email not valid for contributors: @sugarstack',
     'Invalid version range for dependency object-additions: >= 0.5.0' ] }

[freewil]

It's important to note that express-form doesn't actually use the xss filter from validator doesn't use the xss filter unless you explicitly use it on a field. Also, request is only a devDependency used in the tests. Anyways - I'll take a look at upgrading these anyways and look at some of those package.json errors.

[alanhoff]

@freewil any updates on this issue?

[a-ogilvie]

It seems that express-form is still dependent on a version of validator that has a high-risk vulnerability.