The Node Security Platform is shutting down September 30.Learn more ยป

Exceptions are advisories your project will ignore

Untrusted content not exposed to UglifyJS

Untrusted content not exposed to UglifyJS

AFAICT the dep in question (connect-auth-pumpio) doesn't actually invoke this function. Normally I wouldn't care and say patch it anyway, but this is legacy code that we really should just rip out instead. If this was information disclosure it'd be a different story, but I think fixing this in the short-term just isn't justified.

`gm` does not use the %o formatter, which is the vulnerable function.

Used in the Bunyan CLI on trusted values generated internally by Bunyan

constantinople is only used in the Jade compiler/parser and we don't compile untrusted Jade templates.