search

aicore / template-nodejs

A template project with nodejs with pure JS
GNU Affero General Public License v3.0
3 stars 6 forks source link

Lock dependency versions to prevent security issues #15

Closed abose closed 2 years ago

abose commented 2 years ago

Currently, our paclage.json files include dependencies of the format "^16.0.2" which pulls in the newest version. This can lead to vulnerabilities like this: https://fossbytes.com/developer-corrupts-faker-js-and-color-js/

Fix:

  1. Change dependencies to exact version locks like "@commitlint/cli": "16.0.2",
  2. Enable dependabot automatic dependency upgrades and security checker in github.
abose commented 2 years ago

Verified fixed: https://github.com/aicore/template-nodejs/pull/18