search

markusenglund / react-kanban

A Trello-like application built with React and Redux. Take a look at the live website:
https://www.reactkanban.com
MIT License
1.73k stars 245 forks source link

update package.json #5

Closed sheksushant closed 6 years ago

sheksushant commented 6 years ago

Please update the package.json the repo contains 500+ vulnerabilities

markusenglund commented 6 years ago

Indeed npm reports 500+ vulnerabilities. I looked into what these vulnerabilities actually are and it seems like the vast majority of them exist in dependencies of this package's devDependencies. So I don't think any insecure code actually makes it into either the client or server side code of react-kanban.

Updating the dependencies doesn't make the problem go away either since the latest versions available depend on the insecure packages.

But I'm pretty sure it's a none-issue anyway. For example, Npm says that there is a critical vulnerability in the package macaddress which is indirectly used by css-loader: css-loader > cssnano > postcss-filter-plugins > uniqid > macaddress

Does this mean that css-loader is or could be injecting insecure css or other code into react-kanban? No. macaddress code doesn't come close to ever running on the server.

sheksushant commented 6 years ago

Seems fair. I found the reason why it was not working on my MacOS. I had node 10.1.0 which was showing a lot of depreciated errors. I downgraded to 9.0 and it worked like a charm.

markusenglund commented 6 years ago

I understand. I tried installing the dependencies myself on node 10.1 and holy crap, that's a lot of deprecation warnings. It still worked in the end for me on Linux but it took several minutes to install.

Anyway, I updated all the dependencies and now most but not all of the deprecation warnings are gone. It turns out that vulnerabilities went down to 35 as well. (This didn't happen when I updated the dependencies before, I'm not sure what I was doing wrong.)

Anyway, thanks for reporting.