Should fix the vulnerability, see the installation message:

jannyHous-MacBook-Pro:loopback-component-storage jannyhou$ npm i
npm WARN deprecated superagent@3.8.3: Please note that v5.0.1+ of superagent removes User-Agent header by default, therefore you may need to add it yourself (e.g. GitHub blocks requests without a User-Agent header). This notice will go away with v5.0.2+ once it is released.
> ejs@2.7.4 postinstall /Users/jannyhou/Desktop/2019/snyk/loopback-component-storage/node_modules/ejs
> node ./postinstall.js
Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)
npm WARN eslint-plugin-mocha@4.12.1 requires a peer of eslint@^2.0.0 || ^3.0.0 || ^4.0.0 but none is installed. You must install peer dependencies yourself.
added 455 packages from 855 contributors and audited 2594 packages in 34.911s
found 0 vulnerabilities

Chatted with @raymondfeng , the best solution would be a new release of https://github.com/1and1/oneandone-cloudserver-sdk-nodejs

I contacted the author in 1and1/oneandone-cloudserver-sdk-nodejs#21 (comment), will wait and see if we can use the new release.

Hey all, I really appreciate all the work that has gone into this package to make Strongloop/Loopback a viable framework.

I'm hoping that this can be merged in sometime soon as I continue to get critical and high warnings via npm audit when it seems like this branch resolves these warnings.

Again, I appreciate all the work! Thanks in advance.

Waiting for this update too.

To those who are concerned, we did the analysis and concluded that the reported vulnerability was transitively from an older version of mocha. No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.

We understand the alerts are annoying. We have tried to get it fixed by upstream modules but no success so far. It's a bit frustrating. We'll see if we have to fork the offending modules and release them under new names.

@raymondfeng I'd like some help with #237 Not sure if I should open a new one.

Hey all, I really appreciate all the work, Waiting for this update too.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Is there any update on this? I know that the dependency is not being used, but, the critical thing is very annoying.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Is there any update on this?

Any update on this issue?

Hey, any update on this issue?

Is there any update on this story?

Just checked the comment @jannyHou posted above: 1and1/oneandone-cloudserver-sdk-nodejs#21 (comment), there's no progress from there.

In the meanwhile, please take a look at @raymondfeng's comment:

No runtime code uses that dependency and it's safe even though a warning is issued by npm audit.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.