Open matsamuel2018 opened 2 years ago
Just as a little note for those that are worried about the above:
When you use this package as a dependency in your project, it won't install the devDependencies
in the package.json
. As this project doesn't have any regular, non-dev dependencies, there are no vulnerable packages to install in regular use.
You can try this for yourself by running npm install --production
and you'll see found 0 vulnerabilities
, likewise with npm audit --production
. It's a little unfortunate that npm audit
checks devDependencies by default.
I think it's a good thing that npm audit
checks the devDependencies
, too, but it would be smart to mention it in the output. Something like found 0 vulnerabilities for production, 26 vulnerabilities (8 moderate, 9 high, 9 critical) for development
would be the best of both worlds.
Although the 26 vulnerabilities for development will only happen if you're a developer of this library itself, which is probably not the case.
The latest version of "he" contains some vulnerabilities according to "npm audit": 26 vulnerabilities (8 moderate, 9 high, 9 critical)
I'm not using this package directly but instead it is being referenced through mocha (and I'm using mocha). But I'm just seeing if this project is active enough that perhaps these vulnerabilities will be addressed at some point. I'm certainly no expert with this but it appears that the vulnerabilities are related to packages that need upgrading to newer versions.
I think just having newer packages that update the lodash version will satisfy my vulnerability scanner.