biern
commented
6 years ago @jstefanski turns out that this security alert concerns e2e/tests/package-lock.json so it has no impact on the app itself. It's a subdependency of testcafe -> testcafe-legacy-api -> uglify-js, I belive we can't control it. I've tried bumping the testcafe version but it's still not fixed #29. Since it runs only on CI / dev machine it's not any security risk and we can just ignore it until they bump it.
We use uglify-js in version 1.2.6. It is vulnerable to: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8857 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Can we upgrade to 2.6.0?