175 vulnerabilities

[dylan-k]

upon doing > npm install I got...

added 522 packages from 377 contributors and audited 3479 packages in 35.252s
found 175 vulnerabilities (3 low, 168 moderate, 4 high)
  run `npm audit fix` to fix them, or `npm audit` for details

So I did npm audit fix but then I got...

+ jshint@2.10.2
+ @babel/core@7.4.4
added 3 packages from 1 contributor, removed 39 packages and updated 39 packages in 33.084s
fixed 169 of 175 vulnerabilities in 3479 scanned packages
  1 package update for 6 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

Should I be concerned about the "vulns" or "breaking changes" mentioned here? I'm on ubuntu 18.04 with npm 6.4.1

[ChapelR]

I do not recommend running npm audit fix. Breaking changes are bad and can cause all sorts of shenanigans.

Short answer is there isn't really anything to worry about. The packages used by this boilerplate don't actually wind up in your project, and the vulnerabilities are usually more for people working on certain things, server-side stuff, for the most part.

Since all we use these packages for is code quality and build stuff, the vulnerabilities will not impact your project, and they aren't "vulnerable" in the sense that your computer is in danger.

For more clarity and peace-of-mind, he's an article I found on Google if you're interested: https://www.voitanos.io/blog/don-t-be-alarmed-by-vulnerabilities-after-running-npm-install

[ChapelR]

I'm going to close this for now. If you have further comments or concerns I'm happy to re-open it.