search

postlight / parser

📜 Extract meaningful content from the chaos of a web page
https://reader.postlight.com
Apache License 2.0
5.37k stars 443 forks source link

Dependencies have vulnerabilities #686

Open Shepard opened 1 year ago

Shepard commented 1 year ago

Expected Behavior

No vulnerabilities reported by npm audit / yarn audit.

Current Behavior

Audit reports a bunch of vulnerabilities in dependencies of mercury-parser:

5 vulnerabilities found - Packages audited: 168
Severity: 1 Low | 3 Moderate | 1 High

Steps to Reproduce

  1. Create a node project.
  2. yarn add @postlight/mercury-parser (You already get a bunch of warnings about outdated and deprecated libraries here.)
  3. yarn audit

Detailed Description

I'm trying to keep our software free of vulnerabilities in order to reduce security risks for customers. It is good practice in my mind to update dependencies regularly to avoid any such issues.

Possible Solution

Would be great if these dependencies could be updated or replaced with others where necessary.

johnholdun commented 1 year ago

Thanks for noting this! I've just updated a lot of dependencies in #687. There's still one vulnerability listed for cheerio, which is both a critical piece of this project and one that is very hard to touch, in my experience. We have plans to come back to deal with cheerio soon.