I added caret version ranges to big packages because there are no breaking changes in a patch update. Taken from npm: Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X. [More](https://docs.npmjs.com/misc/semver#caret-ranges-123-025-004)
Minetrack currently has a 11 vulnerable dependency paths, introducing 6 different types of known vulnerabilities.
This PR fixes vulnerable dependencies, [ReDOS vulnerability](https://snyk.io/vuln/npm:tough-cookie:20160722) in the `tough-cookie` dependency, [remote memory exposure ](https://snyk.io/vuln/npm:request:20160119) vulnerability in the `request` dependency.
You can see [Snyk test report](https://snyk.io/test/github/Cryptkeeper/Minetrack) of this project for details.
This PR changes `Package.json` to upgrade `request` to the newer 2.74.0 version, and will fix all the vulnerabilities listed above.
You can get alerts and fix PRs for future vulnerabilities for free by [watching this repo with Snyk](https://snyk.io/add).
Note this PR fixes all the vulnerabilities introduced trough `request` dependency, in order to be vulnerability free you will need to upgrade others dependencies as well.
Full disclosure: I'm a part of the Snyk team, just looking to spread some security goodness and awareness ;)
The Minetrack daemon will send a different protocol version each time
it pings a server. If a server responds with the same protocol version,
it is assumed that the version is supported, and it is shown on the
page above the server's player count.
The list of versions to be tried is stored in config.json.
At the moment, 4 versions are checked:
- 4 (Minecraft 1.7.2)
- 5 (Minecraft 1.7.10)
- 47 (Minecraft 1.8)
- 107 (Minecraft 1.9)
