It shows that we have 173 high security vulnerabilities.
These are just dependencies not dev dependencies. We have nearly 300 if you factor in dev dependencies.
A fair portion of these are packages that we're not using directly. It might be possible that upgrading to a minor or subversion of some of our libraries fixes this issue. For example, we're on an older version of web3 and doing a major upgrade might not be as easy as we would like. With Web3 we are on 1.8.2 and there is a 1.10.4 published 3 days ago and maybe we're compatible with that.
We could first try to upgrade these package versions first, then see what happens. If we're lucky we'll get 40-60% of these fixed.
... after this it will get more complicated and we'll have to upgrade indirect package dependencies used by our direct dependencies and things get more complicated.
yarn audit doesn't tell us if upgrading the direct dependency will fix the vulnerabilities in indirect dependencies (with is frustrating because it has the data to do that)
Describe the bug
If we run:
It shows that we have 173 high security vulnerabilities.
These are just dependencies not dev dependencies. We have nearly 300 if you factor in dev dependencies.
A fair portion of these are packages that we're not using directly. It might be possible that upgrading to a minor or subversion of some of our libraries fixes this issue. For example, we're on an older version of web3 and doing a major upgrade might not be as easy as we would like. With Web3 we are on 1.8.2 and there is a 1.10.4 published 3 days ago and maybe we're compatible with that.
We could first try to upgrade these package versions first, then see what happens. If we're lucky we'll get 40-60% of these fixed.
... after this it will get more complicated and we'll have to upgrade indirect package dependencies used by our direct dependencies and things get more complicated.
yarn audit doesn't tell us if upgrading the direct dependency will fix the vulnerabilities in indirect dependencies (with is frustrating because it has the data to do that)
@jnaviask @timolegros @ForestMars