Closed iMicknl closed 1 year ago
I am having the same issue. Would be good to get a resolution soon
@iMicknl and @nishantjainuk are powerbi-visuals-tools
installed globally or as a dependency of your visual?
@JipAccobat correct. It has been added to the devDependencies
, see https://github.com/iMicknl/powerbi-botframework-chat-transcripts for my actual source code.
For me it doesn't make sense to install them globally, since this will require extra work for new devs, complicate the CI/CD and doesn't support version pinning easily.
By the way, powerbi-visual-tools should run npm audit --production
instead of a broad npm audit. It doesn't make sense to check devDependencies for vulnerabilities, since they are not executed in a Power BI visual.
@JipAccobat I have it as dependency as well
Hello folks!
Sorry for a long delay.
We just released tools version 4.0.2. There should be no any issues with npm audit
at this moment )
Please try it.
Thanks @Demonkratiy, I will have a look.
Did you consider implementing my remark? (https://github.com/microsoft/PowerBI-visuals-tools/issues/383#issuecomment-918541617). To use npm audit --production
?
@iMicknl, thank you for your advise! But I think there is no need to use npm audit --production
in this case, as actually running npm install
will warn about vulnerabilities anyway in such approach.
We refactored some code, changed libs or methods there it was needed to exclude any vulnerability issues related to powerbi-visuals-tools
, no matter if they are real or not ;)
Part of Get a Power BI visual certified is to pass
npm audit - Must not return any warnings with high or moderate level.
However, the latest version of
powerbi-visuals-tools
(3.3.0) still has the a warning of the moderate level and running audit fix --force will install powerbi-visuals-tools@1.7.2, which is a huge downgrade.To be honest, having no moderate warnings is quite a hard requirement and thus makes it hard to pass certification.