search

match4everyone / match4everything

Other
7 stars 0 forks source link

Update JS dependencies #209

Closed maltezacharias closed 3 years ago

maltezacharias commented 3 years ago

Bumps all JS dependencies up to the newest supported version.

Removes two security vulnerabilities. Removes one unnecessary dependency.

One security vulnerability remains:

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > to-ico > resize-img >   │
│               │ jimp > mkdirp > minimist                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

This needs to be fixed upstream. The Vulnerability doesn't affect our app as the relevant code is only used during webpack build process and can not be exploited by users of the app.

bjrne commented 3 years ago

Is there a reason you did not update these? (found these with npm outdated)

css-loader
eslint
expose-loader
favicons-webpack-plugin
sass-loader
terser-webpack-plugin
bjrne commented 3 years ago

And if you're at it, bootstrap released a new version as well I think :grimacing: : https://github.com/twbs/bootstrap/releases/tag/v4.5.1