Package requirements contain security vulnerabilities.

[adamjaffeback]

Background

npm install karma-angular-filesort successfully completes, but warns of a security vulnerability. `npm audit shows the following:

karma-angular-filesort currently requires [email protected], which in turn requires [email protected]. The printout in the console above shows that the security vulnerability is fixed with [email protected].

Solution

In order to fix this, ng-dependencies should be updated to the most recent version (0.8.1), which requires [email protected].

How did this happen?

I assumed that npm install karma-angular_filesort should have installed the most recent minor version of ng-dependencies which includes the lodash fix, because karma-angular-filesort requires "^0.3.0". However npm's documentation on semver states:

Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple.

The key here is "non-zero" digit. As a result, v0.3.x is installed. Source: npm bug report.