Closed filipefurtad0 closed 2 years ago
Those alerts are mostly referencing dependencies of dependencies that are only used by Storybook, which explicitly does not get loaded in staging or production.
Also, if you read through the details of some of these CVE's, they're things like "if a malicious user manages to pass in some data in really obscure way, a slightly inefficient Regex that's somewhere in the code could slow down the server, which might theoretically lead to a Denial Of Service situation"... which honestly is not very scary! They're also referring to packages which for example are used briefly at precompile time but don't actually take any user input in our case.
Closing this one as we will act on those separately as they come.
What we should change and why (this is tech debt)
Dependabot is raising several High Severity and one Critical Security issues: https://github.com/openfoodfoundation/openfoodnetwork/security/dependabot
Context
This came up here.
Impact and timeline