petrbroz
commented
5 years ago I'm running into some issues related to vulnerabilities as well:
- As of July 31, 2019, there are 16 vulnerabilities in total (2 low, 8 moderate, 6 high).
npm audit fixresolves 8 of them (4 moderate, 4 high)npm audit fix --forceresolves additional 4, still leaving 4 vulnerabilities (1 low, 2 moderate, 1 high), but it breaks the webpack build
In my opinion, this project is cluttered with many unnecessary dependencies that will only make the ongoing maintenance more difficult.
For example, consider the packages rmdir and rimraf - both are used in this project, both are doing pretty much the same thing, and unless you need any special permission handling, they can be implemented with a few lines of code using standard node.js modules.
Another example, node-zip, archiver, adm-zip (and perhaps even compression) packages that are also all used in this project.
This is not a good practice imho. And also, if I were looking for just a Forge/React/Redux boilerplate code, seeing all these dependencies (incl. things like jquery or socket.io?) would probably drive me away. So I guess the question is: is this boilerplate code useful to our customers? If so, we will need to scrub the dependencies that aren't needed, and fix the vulnerabilities in the remaining ones. It's probably doable, but it'll take a significant amount of effort.
augustogoncalves
Known moderate severity security vulnerability detected in bootstrap >= 3.0.0, < 3.4.1 defined in package.json.
package.json update suggested: bootstrap ~> 3.4.1.