Matt-Yorkley
commented
2 years ago Those alerts are mostly referencing dependencies of dependencies that are only used by Storybook, which explicitly does not get loaded in staging or production.
Closed filipefurtad0 closed 2 years ago
Matt-Yorkley
commented
2 years ago Those alerts are mostly referencing dependencies of dependencies that are only used by Storybook, which explicitly does not get loaded in staging or production.
Matt-Yorkley
commented
2 years ago Also, if you read through the details of some of these CVE's, they're things like "if a malicious user manages to pass in some data in really obscure way, a slightly inefficient Regex that's somewhere in the code could slow down the server, which might theoretically lead to a Denial Of Service situation"... which honestly is not very scary! They're also referring to packages which for example are used briefly at precompile time but don't actually take any user input in our case.
RachL
commented
2 years ago Closing this one as we will act on those separately as they come.
What we should change and why (this is tech debt)
Dependabot is raising several High Severity and one Critical Security issues: https://github.com/openfoodfoundation/openfoodnetwork/security/dependabot
Context
This came up here.
Impact and timeline