search

creativetimofficial / ct-black-dashboard-pro-react

Black Dashboard PRO React: A premium Boostrap & Reactstrap Admin Template
https://www.creative-tim.com/product/black-dashboard-pro-react
40 stars 18 forks source link

[Bug] NPM Vulnerabilities #15

Closed GreenAsJade closed 4 years ago

GreenAsJade commented 5 years ago

Version

1.0.0

Reproduction link

https://www.creative-tim.com/product/black-dashboard-react

Operating System

OSX

Device

Macbook Pro

Browser & Version

N/A

Steps to reproduce

  1. Download & unpack the package linked above
  2. npm install
  3. npm audit

What is expected?

Clean bill of health

What is actually happening?

found 64 vulnerabilities (63 low, 1 high) in 38314 scanned packages 63 vulnerabilities require semver-major dependency updates. 1 vulnerability requires manual review. See the full report for details.

Solution

This product needs to updated to react-scripts@3.0.1

Additional comments

npm audit notes that this may be a breaking change.

We have not tried it yet.

einazare commented 5 years ago

Hello there, @GreenAsJade ,

Thank you for your interest in working with our products. You do not need to concern about those vulnerabilities. This is something relatively new in npm, and it only notifies you that you have “old” dependencies. One year ago, npm didn’t have this functionality, and everybody was happy with the dependencies they had in their projects. I have seen projects, projects that are being used in production, with dependencies as old as 5 years. What I am trying to say is that those vulnerabilities are not really vulnerabilities. We are trying to update our products to the latest versions of or dependencies, but having lots of support, working on new products and projects and having lots of products, it is kind of hard to update all products. We are very sorry for this inconvenience. You can go ahead and modify our products by updating them yourself, but we won’t be able to help you if something goes wrong, that is why it is better to wait for our updates.

Hope this is a bit clearer.

Best, Manu

GreenAsJade commented 5 years ago

Thanks for your quick reply. I think that npm audit was introduced in response to perceived issues with vulnerabilities of the npm system :) So the fact that it is new doesn't mean there isn't a problem.

We took a look in detail at the vulnerabilities it listed, and agree that they don't present a problem to us right now.

We'll look forwards to your updates :)

(I see that the Blk Design System is clean, which is great).

alexolivas commented 4 years ago

Is there any news on providing updates to the theme? In addition to getting the npm vulnerabilities, I am forced to build my project using node 12 because of theme's version of node-sass (4.11.0). I was on the latest version of node and wasn't able to use the theme until I downgraded.

Would you be open to accept a pull request?

einazare commented 4 years ago

Hello there, @alexolivas ,

The update will be done by the end of this month. To make it work with the Latest Stable Version of NodeJs you just need to change the node-sass version to 4.13.0.

Best, Manu