hicommonwealth / commonwealth

A platform for decentralized communities
https://commonwealth.im
GNU General Public License v3.0
67 stars 44 forks source link

Strategy / Discussion for handling 173 high security vulnerabilities. #7615

Open burtonator opened 6 months ago

burtonator commented 6 months ago

Describe the bug

If we run:

 yarn audit --level high --groups dependencies

It shows that we have 173 high security vulnerabilities.

These are just dependencies not dev dependencies. We have nearly 300 if you factor in dev dependencies.

... after this it will get more complicated and we'll have to upgrade indirect package dependencies used by our direct dependencies and things get more complicated.

yarn audit doesn't tell us if upgrading the direct dependency will fix the vulnerabilities in indirect dependencies (with is frustrating because it has the data to do that)

@jnaviask @timolegros @ForestMars

burtonator commented 6 months ago

I labeled this cleanup as I want to try a few of these packages upgrades to see if they fix the issue or investigate another strategy to audit