search

jeffeb3 / sandify

web based user interface to create patterns that could be useful for robots that draw in sand with ball bearings.
MIT License
195 stars 35 forks source link

This is just me doing npm audit fix #206

Closed jeffeb3 closed 3 years ago

jeffeb3 commented 3 years ago

I also changed react-dev-utils based on what github told me to do.

@bobnik, can you confirm this is what I should be doing?

jeffeb3 commented 3 years ago 
npm audit

                       === npm audit security report ===

# Run  npm install react-scripts@4.0.3  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ssri                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > terser-webpack-plugin > cacache > ssri       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/565                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > react-dev-utils > immer                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

found 2 vulnerabilities (1 moderate, 1 high) in 1907 scanned packages
  2 vulnerabilities require semver-major dependency updates.

This is what made me think I needed to push the react-scripts to 4.0.3, but then it doesn't build. What am I missing?

bobnik commented 3 years ago

This is what made me think I needed to push the react-scripts to 4.0.3, but then it doesn't build. What am I missing?

@jeffeb3 I ultimately upgraded everything. This requires Node 12.x. If you can install/run locally with a clean install, then I think this is good to merge.

jeffeb3 commented 3 years ago

hmmm. I'm on node 6.x :)

I am trying to upgrade now, but I don't want to risk breaking my system, so I am going cautiously.

It looks like there might still be more audit fix issues.