I've updated some of the NPM packages to resolve known security vulnerabilities in dependencies.
Since this project uses create-react-app, not all of the dependencies are used in the production build. Many of them, especially the dependencies of react-scripts, are only used in the development environment or during CI builds. Vulnerabilities found in these dev dependencies are less of a threat because 99% of the time, the vulnerability cannot be exploited via the build output (html/js) that runs in the browser.
To ensure that we are addressing any true security concerns, we should be sure to keep any user facing code listed in the dependencies list and all build-time dependencies in devDependencies. Then we can use the command yarn audit --groups dependencies to easily list all packages that we are using with known vulnerabilities.
Here's the output of this command before the changes in this PR:
Here's the output of this command after the changes in this PR. The warnings are due to us now forcing updates to our dependency's dependencies.
$ yarn audit --groups dependencies
yarn audit v1.22.21
warning Resolution field "jackspeak@2.1.1" is incompatible with requested version "jackspeak@^2.3.5"
warning Resolution field "strip-ansi@6.0.1" is incompatible with requested version "strip-ansi@^7.0.1"
warning Resolution field "strip-ansi@6.0.1" is incompatible with requested version "strip-ansi@^7.0.0"
warning Resolution field "strip-ansi@6.0.1" is incompatible with requested version "strip-ansi@^7.0.1"
0 vulnerabilities found - Packages audited: 262
I've updated some of the NPM packages to resolve known security vulnerabilities in dependencies.
Since this project uses
create-react-app
, not all of the dependencies are used in the production build. Many of them, especially the dependencies ofreact-scripts
, are only used in the development environment or during CI builds. Vulnerabilities found in these dev dependencies are less of a threat because 99% of the time, the vulnerability cannot be exploited via the build output (html/js) that runs in the browser.Here are more detailed explanations of the situation: https://github.com/facebook/create-react-app/issues/11174 https://overreacted.io/npm-audit-broken-by-design/
To ensure that we are addressing any true security concerns, we should be sure to keep any user facing code listed in the
dependencies
list and all build-time dependencies indevDependencies
. Then we can use the commandyarn audit --groups dependencies
to easily list all packages that we are using with known vulnerabilities.Here's the output of this command before the changes in this PR:
Here's the output of this command after the changes in this PR. The warnings are due to us now forcing updates to our dependency's dependencies.