Closed bingomanatee closed 6 years ago
Hi!
I just did an npm install
(which runs audit) of all 38 monorepo Neutrino 8.2.3 packages using npm v6.0.1, and it found zero vulnerabilities:
https://gist.github.com/edmorley/add76158c0492ad6a6ee4b77d496d4cd
From reading the docs it appears that the NPM audit feature only inspects the contents of a local package-lock.json
rather than actually checking the latest version of the packages available.
As such, I think your package-lock.json
may just be out of date?
Could you try removing it and regenerating it - and then trying again?
On a side note, it's slightly annoying that npm:
package-lock.json
or to the latest dependency chain itselfWe could also turn on Snyk for Neutrino, but I have it on for other repos as well and it seems to generate a lot of false positives and can be noisy.
I think since:
...that Snyk etc probably wouldn't add much value.
They also don't seem to support monorepos: https://snyk.io/test/github/mozilla-neutrino/neutrino-dev?tab=dependencies&vulns=all
Yeah you're probably right, alerts will just generate noise, nothing highly actionable.
@bingomanatee did you see this? :-)
As such, I think your package-lock.json may just be out of date? Could you try removing it and regenerating it - and then trying again?
Closing this out since the npm audit of Neutrino 8 showed zero issues, so this was likely due to a stale package-lock.json
in your project. Deleting the lockfile and re-generating it should resolve the warnings you saw.
I'd strongly recommend using something like Renovate to automate keeping both your dependencies and lockfile up to date.
Bug or issue?
Please try to answer the following questions:
run
npm audit
- there is a trail of security issues with neutrino.Feature request or enhancement?
Please describe your request in detail. Use the following questions as guidance: