search

sonnyp / Tangram

Browser for your pinned tabs
https://apps.gnome.org/app/re.sonny.Tangram/
GNU General Public License v3.0
907 stars 38 forks source link

Dependency vulnerabilities #131

Closed gsantner closed 3 years ago

gsantner commented 3 years ago

Hello, I just fetched the project from git-master and tried to build it.

When fetching node dependencies, lots of vulnerabilities in the set versions of dependencies show up:

[me@device Tangram]$ git submodule init
Submodul 'troll' (https://github.com/sonnyp/troll) für Pfad 'src/troll' in die Konfiguration eingetragen.
[me@device Tangram]$ git submodule update
Klone nach '/tmp/aatmp/Tangram/src/troll' ...
Submodul-Pfad: 'src/troll': '90957d2c4155b3e2b01d6e2a87e525afaeb047b0' ausgecheckt
[me@device Tangram]$ npm install

> husky@4.3.7 install /tmp/aatmp/Tangram/node_modules/husky
> node husky install
....
added 235 packages from 123 contributors and audited 236 packages in 12.99s

43 packages are looking for funding
  run `npm fund` for details

found 8 vulnerabilities (5 moderate, 3 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Suggestions: Setup dependency scanner at CI; Update dependencies

sonnyp commented 3 years ago

I'll fix it.

It's annoying but FYI https://overreacted.io/npm-audit-broken-by-design/

It doesn't affect Tangram users.

sonnyp commented 3 years ago

Dependencies were updated.