There are some dependabot reported security issues that may or may not be reported by npm audit.
Dependebot doesn't always report the security issues but when cross-references other projects, such as SAGE, one can find the issues. Cross-reference the issues.
Review these and see if it is possible to safely update these.
These may require using overrides.
If that is the case be sure to perform extra checks for regressions.
Such cases would be, for example, minimatch where some dependencies need a 5.x version of minimatch but the overrides is set to ^3.0.0.
Cursory invetigation on patterns like "minimatch": ">=3.1.2", or "minimatch": "^3.1.2 || >=3.1.2", result in always using a 5.x version and patterns like "minimatch": "^3.1.2", result in always using a 3.x version.
When there are dependencies requiring different versions there does not seem to be a way to allow a 3.1.2 to match for 3.x version and a 5.1.1 to match for a 5.x version.
There are some dependabot reported security issues that may or may not be reported by
npm audit.Dependebot doesn't always report the security issues but when cross-references other projects, such as SAGE, one can find the issues. Cross-reference the issues.
Review these and see if it is possible to safely update these. These may require using
overrides. If that is the case be sure to perform extra checks for regressions.Such cases would be, for example,
minimatchwhere some dependencies need a5.xversion ofminimatchbut the overrides is set to^3.0.0.Cursory invetigation on patterns like
"minimatch": ">=3.1.2",or"minimatch": "^3.1.2 || >=3.1.2",result in always using a 5.x version and patterns like"minimatch": "^3.1.2",result in always using a 3.x version.When there are dependencies requiring different versions there does not seem to be a way to allow a 3.1.2 to match for 3.x version and a 5.1.1 to match for a 5.x version.