Closed issackjohn closed 7 months ago
Perhaps we should find a new static development http server module since http-server
isn't receiving updates and we have very few features we actually need for local development, but this looks like a simple fix in the meantime.
Adding "trivial change" label since this doesn't affect the actual benchmark content.
FYI: javascript-web-components & news-next had http-server listed as a dependency so I used npm install follow-redirects
there instead of npm install follow-redirects --save-dev
It's not clear to me why you added follow-redirects as direct dependencies instead of just updating the package-lock file. npm audit fix
should do this for you... including updating other things - we actually have others CVE (babel, semver, word-wrap, to mention only the ones at the top level), so why updating just follow-redirects
?
BTW we're not affected by this specific CVE, because as you mentioned, follow-redirects
is used for the proxy feature (and just if it's configured to follow redirects), but we're not using it.
Outdated by #360
Affected files:
closes #351