Closed barmac closed 2 years ago
My assessment npm audit fix fixed most of the reported vulnerabilities. I decided to upgrade mocha as it's just a dev dependency and it worked afterwards. The only dependency which was reported as vulnerable was trim-newlines via meow. I checked in what context the vulnerable dependency is used and it occurred it's just a single line: https://github.com/sindresorhus/meow/blob/e1f0e24840634ae58664a70ee9e19ab80166b3f3/index.js#L166 What is more, it refers to an option in meow configuration which we don't use (options.help). So I believe we are not vulnerable even though npm audit reports the dependency. Why can't we upgrade meow to a version without npm audit report? Since version 10, meow is a pure ESM package. This means that if we want to upgrade, we also need to either move to ESM (=> drop Node < 12 support) or rewrite the cli.js to use dynamic import. More on that at https://github.com/sindresorhus/meow/releases/tag/v10.0.0 and https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c.
My assessment
npm audit fix
mocha
I checked in what context the vulnerable dependency is used and it occurred it's just a single line: https://github.com/sindresorhus/meow/blob/e1f0e24840634ae58664a70ee9e19ab80166b3f3/index.js#L166 What is more, it refers to an option in meow configuration which we don't use (options.help). So I believe we are not vulnerable even though npm audit reports the dependency.
options.help
npm audit
Why can't we upgrade meow to a version without npm audit report? Since version 10, meow is a pure ESM package. This means that if we want to upgrade, we also need to either move to ESM (=> drop Node < 12 support) or rewrite the cli.js to use dynamic import. More on that at https://github.com/sindresorhus/meow/releases/tag/v10.0.0 and https://gist.github.com/sindresorhus/a39789f98801d908bbc7ff3ecc99d99c.
https://github.com/bpmn-io/bpmn-to-image/issues/25#issuecomment-963048420
Closes #25
Thanks for your thorough analysis.
https://github.com/bpmn-io/bpmn-to-image/issues/25#issuecomment-963048420
Closes #25