update vulnerable package

[pickworth]

negotiator must be updated to v0.6.1

https://nodesecurity.io/advisories/106

[coveralls]

Coverage remained the same at 96.087% when pulling 88164f0 on nmors:bugfix-vuln-patch-1 into 82c672a on mulesoft-labs:master.

[coveralls]

Coverage remained the same at 96.087% when pulling 14cc077 on nmors:bugfix-vuln-patch-1 into 82c672a on mulesoft-labs:master.

[tbruno]

@nmors:

We are making use of Caret ranges (https://docs.npmjs.com/misc/semver#caret-ranges-123-025-004)

Allows changes that do not modify the left-most non-zero digit in the [major, minor, patch] tuple. In other words, this allows patch and minor updates for versions 1.0.0 and above, patch updates for versions 0.X >=0.1.0, and no updates for versions 0.0.X.

So by having "negotiator": "^0.6.0" in request-error-handler's package.json, we are indeed telling NPM to install the latest patch in 0.6.x for "negotiator".

[pickworth]

I am getting the vulnerable version when I do a fresh npm install

@tbruno Are you also? I'm using node 6.2.0. specifying "^0.6.1" fixes it for me

[cesaraugustogarcia]

Hi @nmors I just tried a clean npm install after cloning the project and worked fine for me (brought the negotiator version with the fix = 0.6.1):

[email protected] node_modules/negotiator

Have you tried cleaning your npm cache? npm cache clean?
Also, can you ensure you do not have a npm-shrinkwrap.json on your project?