Closed jfoclpf closed 4 years ago
This is a CLI-based dev tool designed to run locally on your development machine so the reported vulnerabilities are irrelevant - how could a hacker exploit these modules when they are running on you local machine?
The vulnerabilities highlighted by npm audit
are only relevant if the modules are publicly exposed (e.g. in a node JS server) where they could be exploited.
Therefore closing this as out of scope.
Ok, fair enough, but I didn't see thoroughly all the vulnerabilities repported, that's why I reported.
Anyway I'd say you could update the dependencies and fix vulnerabilities. All it takes, I suppose, is merely
npm update && npm audit fix
Bug report
The dependencies of this package are outdated, when I run
npm audit
a lot of high priority vulnerabilities pop up