search

qlik-demo-team / qdt-components

React Components to be used with Angular 10, React 16 and Vue 2. Connects with the Capability API and Engine API.
MIT License
92 stars 50 forks source link

Security vulnerability in dependency preventing on-boarding latest version to enterprise npm registry #234

Closed ashishpadman closed 4 years ago

ashishpadman commented 4 years ago

There are security vulnerabilities for the npm package serialize-javascript@1.9.1 as listed below -

  1. https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-536840
  2. https://snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062

This package is a dependency of uglifyjs-webpack-plugin package in the latest qdt-components dependency list.

We are stuck at qdt-components@1.3.13 in our corporate npm registry because of this as it refuses to onboard a package with a high vulnerability dependency .Is it possible to remove uglifyjs-webpack-plugin as a dependency?

Note - uglifyjs-webpack-plugin should be a dev dependency , I don't understand why it is added as a direct dependency?

yianni-ververis commented 4 years ago

Thank you.

Moved to dev

3.0.0-beta.22

ashishpadman commented 4 years ago

Thank you. When will this be released to the master branch? Unfortunately, the automated procurement tool in the company only picks up from master branch releases