Open taoeffect opened 6 years ago
Running:
found 450 vulnerabilities (447 low, 3 high)
run `npm audit fix` to fix them, or `npm audit` for details
phenomenon@phenomenon:~/group-income-simple-work$ npm audit
Yields:
Probably should prioritize dropping these packages soon if at all possible.
When attempting to use our own GitHub fork of a dependency, Travis CI complains about not being able to access it, apparently because of some missing access rights:
@snowteamer I think you need to specify the URL in such a way that it doesn't attempt to access the repo via SSH, but instead uses HTTPS.
Using a full commit hash in the dependency specification instead of a branch name, and/or reverting to NPM 6.x seems to bypass the issue.
...
"pug-lint-vue": "github:snowteamer/pug-lint-vue#2702763877bfd1b77c56c81542a22a058e42e952",
...
Relevant NPM issue: https://github.com/npm/cli/issues/2610
Problem
We have too many dependencies / third-party libraries. Dependencies are liabilities almost as much as they are assets.
Related issues:
361 - "You Might Not Need Lodash"
360 - Get rid of NPM
349 - Update dependencies
340 - Prevent package-lock.json from breaking when deps-of-deps update
21 - Bundle dependencies
Solution
for (each dependency) {
}
This includes Bulma.
In the end, the only third-party dependencies we should be left with are
devDependencies
, and even those might not be necessary. As much as possible should be removed or adopted, i.e. we don't need a minifier if our codebase is so small that it doesn't require minification.In the end, we should get rid of
npm
and thepackage-lock.json
file as well (since it's so problematic + not helpful). By having our own trimmed-down, audited forks of everything we don't need to worry about new issues arising from updates.We then don't need to worry about what happens if "npm is down" or "npm is compromised", and we can rely on GPG + git signatures to verify the codebase and commits - Issue #153.
EDIT: this issue can be closed if #586 and #1101 are closed.