bluesmoon
commented
4 months ago boomerang does not need to be installed with npm. you can just concatenate all the source files, minify it and deploy it without using anything else.
Open whtswrng opened 4 months ago
bluesmoon
commented
4 months ago boomerang does not need to be installed with npm. you can just concatenate all the source files, minify it and deploy it without using anything else.
nicjansma
commented
2 months ago @whtswrng all of the vulnerabilities noted come from devDependencies which are just used to (optionally) build the bundle. As @bluesmoon mentions, you could do the bundling and minification yourself, if you choose.
There are no known vulnerabilities in the boomerang.js source (including plugins), nor in the 4 open-source libraries that are (optionally) bundled with it.
$ npm audit --omit dev
found 0 vulnerabilities
If you run
npm audityou can see there are "81 vulnerabilities (23 moderate, 44 high, 14 critical)". Do you plan to address them? Right now, it's a serious security risk to deploy the application with boomerang to production, given how many high/critical vulnerabilities are in the project.