Good morning,
After verifying Newman’s not installed globally or locally, when I attempt to install I get the below. These vulnerabilities prevent a clean pipleline build. Are there plans to address this outside of “npm audit fix --force” ? Let me know if you need more info.
My environment:
Mac OS
Node version: v22.11.0
npm install newman
up to date, audited 165 packages in 713ms
13 packages are looking for funding
run `npm fund` for details
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
“npm audit” returns the below:
npm audit
# npm audit report
jose 3.0.0 - 4.15.4
Severity: moderate
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - https://github.com/advisories/GHSA-hhhv-q57g-882q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jose
postman-runtime 7.31.0 - 7.40.0-beta.1
Depends on vulnerable versions of jose
node_modules/postman-runtime
newman 6.0.0 - 6.1.3 || >=6.2.1
Depends on vulnerable versions of postman-runtime
node_modules/newman
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force