Dependabot Alerts

[benabus]

As I backup my user folder to github, I get a number of dependabot security alerts:

ansi-regex moderate severity by GitHub plugins/flex-objects/yarn.lock axios high severity by GitHub plugins/flex-objects/yarn.lock path-parse moderate severity by GitHub plugins/flex-objects/yarn.lock tar high severity by GitHub plugins/flex-objects/yarn.lock @npmcli/git moderate severity by GitHub plugins/flex-objects/yarn.lock normalize-url high severity by GitHub plugins/flex-objects/yarn.lock postcss moderate severity by GitHub plugins/flex-objects/yarn.lock glob-parent high severity by GitHub plugins/flex-objects/yarn.lock browserslist moderate severity by GitHub plugins/flex-objects/yarn.lock ssri high severity by GitHub plugins/flex-objects/yarn.lock hosted-git-info moderate severity by GitHub plugins/flex-objects/yarn.lock y18n high severity by GitHub plugins/flex-objects/yarn.lock set-value high severity by GitHub plugins/flex-objects/package-lock.json axios high severity by GitHub plugins/flex-objects/package-lock.json path-parse moderate severity by GitHub plugins/flex-objects/package-lock.json

tar high severity by GitHub plugins/flex-objects/package-lock.json @npmcli/git moderate severity by GitHub plugins/flex-objects/package-lock.json normalize-url high severity by GitHub plugins/flex-objects/package-lock.json postcss moderate severity by GitHub plugins/flex-objects/package-lock.json trim-newlines high severity by GitHub plugins/flex-objects/package-lock.json glob-parent high severity by GitHub plugins/flex-objects/package-lock.json browserslist moderate severity by GitHub plugins/flex-objects/package-lock.json lodash high severity by GitHub plugins/flex-objects/package-lock.json y18n high severity by GitHub plugins/flex-objects/package-lock.json yargs-parser moderate severity by GitHub plugins/flex-objects/package-lock.json node-uuid high severity by GitHub plugins/flex-objects/package-lock.json kind-of high severity by GitHub plugins/flex-objects/package-lock.json serialize-javascript high severity by GitHub plugins/flex-objects/package-lock.json ansi-regex moderate severity by GitHub plugins/flex-objects/package-lock.json

[w00fz]

Most likely need to update some dependencies. Honestly it is kinda hard to keep up with all of those warnings nowadays, most of those libraries we don’t even use and might be just dependencies of dependencies which does not impact the limited use of js we do for flex objects, even if they are actually not used at all. I wouldn’t worry about these warnings, but I will take a look at giving flex objects dependencies an update.

[benabus]

Believe me, I understand. Unfortunately, the powers-that-be get scared by all the alerts, so I'm tasked with lightly nudging the plugin developers. Thanks for the quick reply and the hard work!

[w00fz]

Took longer than I expected to get everything fine-tuned to resolve those warnings, but finally that is done now. Also after going through this I can definitely say all of the warnings were purely based on devDependencies which didn't affect the production JS at all.

So overall, they were just warnings. This will be available with the next release of FlexObjects, or you can grab the files manually until then.

Thanks!