Closed dawsbot closed 2 years ago
Not really — that's on purpose. I'm getting tired of all the dependency
vulnerability warnings which are bullshit.
Version ranges specified in package.json are good, tight enough.
I was not aware that the library is entirely dependency
free. 0 Dependencies. Ignore my thoughts: unless one day a dependency is added 🙏
~If you're tired of vulnerability warnings, you should turn of dependabot vulnerability warnings.~
~It's unsafe to avoid the lockfile altogether. Your audits should include certain dependency versions as well so that folks can understand if the audited version number contains the exact same deps as what they are installing.~
Yeah, they spam "vulnerability" for all devDependencies which are very annoying, since 99% of the time it's a nothingburger.
Upon forking the repo, I noticed there is no
package-lock.json
.All recent versions of npm generate this file and it's imperative for deterministic installs. A security recommendation for all JS projects is to include a
package-lock.json
[Source from OWASP ]Closes #31