npm audit: 26 vulnerabilities

[matsamuel2018]

The latest version of "he" contains some vulnerabilities according to "npm audit": 26 vulnerabilities (8 moderate, 9 high, 9 critical)

I'm not using this package directly but instead it is being referenced through mocha (and I'm using mocha). But I'm just seeing if this project is active enough that perhaps these vulnerabilities will be addressed at some point. I'm certainly no expert with this but it appears that the vulnerabilities are related to packages that need upgrading to newer versions.

I think just having newer packages that update the lodash version will satisfy my vulnerability scanner.

[Spekpannenkoek]

Just as a little note for those that are worried about the above:

When you use this package as a dependency in your project, it won't install the devDependencies in the package.json. As this project doesn't have any regular, non-dev dependencies, there are no vulnerable packages to install in regular use.

You can try this for yourself by running npm install --production and you'll see found 0 vulnerabilities, likewise with npm audit --production. It's a little unfortunate that npm audit checks devDependencies by default.

[mikkorantalainen]

I think it's a good thing that npm audit checks the devDependencies, too, but it would be smart to mention it in the output. Something like found 0 vulnerabilities for production, 26 vulnerabilities (8 moderate, 9 high, 9 critical) for development would be the best of both worlds.

[papb]

Although the 26 vulnerabilities for development will only happen if you're a developer of this library itself, which is probably not the case.