Found 91 vulnerabilities when installing dependencies with npm

[kryptot7]

After installing wick-editor's dependencies with npm, it tells me there are 91 vulnerabilities in the scanned packages. I ran npm audit and these were the results:

found 91 vulnerabilities (63 low, 9 moderate, 19 high) in 33630 scanned packages run npm audit fix to fix 5 of them. 86 vulnerabilities require semver-major dependency updates.

I'm new to npm and React, so is this normal for projects in development?

edit: Next, I installed gulp and jsdoc then ran npm install again, which found 6 vulnerabilities (1 low, 1 moderate, 4 high).

[elsassph]

LOL a few months later:

found 1023 vulnerabilities (63 low, 9 moderate, 949 high, 2 critical) in 35213 scanned

TBH a lot of these warnings are rubbish: build tools (node_sass, eslint,...), and minor stuff (lodash prototype pollution) make a lot of noise.

I'm a bit more concerned how Wick Engine dependencies are managed, see #26

[zachrispoli]

I've managed to resolve about 1000 of these issues by running npm audit fix (I'm following this guide.

There are still 66 vulnerabilities that require a dependency to update where there's a "semantic version major change", where apparently the API of the dependency changes which could break other dependencies that use that API.

Will try to fix the rest of the vulnerabilities without breaking the app. Wish me luck and sorry for taking a while here - I'm still learning!

[elsassph]

Don't take the "fix audit" thing too dramatically, guys. It's blind reporting.