search

creativetimofficial / argon-dashboard

Argon - Dashboard for Bootstrap 5 by Creative Tim
https://www.creative-tim.com/product/argon-dashboard
MIT License
674 stars 1.26k forks source link

NPM Vulnerabilities #1

Open ghost opened 6 years ago

ghost commented 6 years ago

It seems you need to do some updating for this build process, when running npm install we get the following vulnerabilities warning:

added 1238 packages from 684 contributors and audited 13219 packages in 60.66s found 15 vulnerabilities (3 low, 6 moderate, 6 high)

When running npm audit fix we see the result:

fixed 0 of 15 vulnerabilities in 13219 scanned packages 10 vulnerabilities required manual review and could not be updated 1 package update for 5 vulns involved breaking changes

I would humbly recommend replacing gulp with Laravel Mix. Mix provides all the build tools you need to build a dynamic JS application with very minimal setup.

If I have some time in the upcoming week I might spec this out and submit a pull request, but please look into replacing this, it creates a much more elegant and developer friendly build environment and can literally be dropped into any project without the need for a declared dist or other build destination.

Thanks as always for all your hard work on this, it's beautiful =)

extrabright commented 6 years ago

Hi,

Thanks a lot for your message. I understand that. However, this theme is not a Laravel app, so there is no need to use a whole framework just for using the Mix they offer.

On the other side NPM will not be the default method in the near future for us. In the next update we will drop npm and use Yarn instead.

But, please, feel free to send us the specs and we'll take a look. Maybe something good will come out from this :)

ghost commented 6 years ago

Wow. I'm not even sure where to begin.

Laravel-Mix is a wrapper for webpack, it has no dependency on Laravel, it can be used in any application. Maybe you should check it out before you discount it https://laravel-mix.com

Next ... yarn is a package manager for npm and in reality IS an npm package itself. It doesn't really have anything to do with your app. It's installed globally on a user's computer and then they can manage dependencies using yarn or npm, there's not a lot of difference other than the additional benefits you might get in speed and caching from aliasing yarn.

You can take a look at my argon fork which integrates Mix, Vue and Vuex and I've begun to build out all the example pages into dedicated Vue components.

ghost commented 6 years ago

I jumped the gun, I haven't pushed any of the Vue set up yet, my bad.

extrabright commented 6 years ago

It sounds really good. I will play a bit with Laravel Mix and see how it goes :)

ghost commented 6 years ago

@extrabright

The full Vue spa version is available on my fork. Check readme for install instructions. Still need to work in the tabs for the dashboard sales chart, any help would be appreciated.