(Fix) Apply results of npm audit for web-dapp

poanetwork / poa-popa

DApp for proof of physical address (PoPA) attestation for validators of POA Network

https://popa.poa.network

GNU General Public License v3.0

24 stars 18 forks source link

(Fix) Apply results of npm audit for web-dapp #190

Closed phahulin closed 6 years ago

phahulin commented 6 years ago

What is it? (leave one option)
- Bug (Fix)

Apply results of npm audit fix for prod-dependencies in web-dapp folder.

I think we should skip blockchain folder for now, because a fix there requires update of truffle which requies an updated version of solidity compiler which leads to changes in contract code. Since contracts are already deployed with the previous solidity compiler version + truffle is not used in production anyway, we can address these changes after v.1.0 is tagged.

coveralls commented 6 years ago

Pull Request Test Coverage Report for Build 601

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage increased (+0.06%) to 79.707%

Totals
Change from base Build 593:	0.06%
Covered Lines:	1029
Relevant Lines:	1272

💛 - Coveralls

pablofullana commented 6 years ago

Sounds good to me.

fvictorio commented 6 years ago

@phahulin Two things:

Why is the package-lock.json in the blockchain directory modified if the audit was not applied there?
There are some pending issues that require manual checking, but they are of moderate severity.

In any case, I'm OK with merging this.

phahulin commented 6 years ago

@fvictorio

good question. Seems like npm 6.1 that I'm using has this issue https://github.com/npm/npm/issues/17722#issuecomment-396169770 and it simply added "optional": true in package-lock, without actually upgrading any versions
yes, also they are in dev dependencies