security vulnerability caused by rc@1.2.6

[filipesantoss]

In our project, Snyk reported rc@1.2.6 as a dependency with a known security vulnerability, because it depends on deep-extend@0.4.2.

The latest version of rc (1.2.7) fixed this vulnerability.

More info about the (low priority) vulnerability in deep-extend@0.4.2 can be found at
https://snyk.io/vuln/npm:deep-extend:20180409

[recrsn]

We will upgrade as soon as node-pre-gyp releases a new version.

However, node-pre-gyp is used only during npm install and never gets fed to any unknown inputs. In normal operation, bcrypt does not depend on any external module.

[enzolutions]

+1

[springmeyer]

fixed in ac80467