search

zkat / npx

execute npm package binaries (moved)
https://github.com/npm/npx
Other
2.63k stars 105 forks source link

Too many vulnerabilities #227

Closed jmeyers91 closed 5 years ago

jmeyers91 commented 5 years ago

When I install npx or run npm install in a project with npx installed, NPM spits out this:

found 36 vulnerabilities (6 low, 22 moderate, 8 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Every one of my project's "vulnerabilities" are coming from NPX. Why does NPX rely on so many dependencies with known vulnerabilities? I tend to avoid global dependencies, so I've been removing NPX from all my projects because our clients don't like seeing dozens of vulnerabilities. Should I only use NPX during development and install it globally or as a dev dependency? Should I just ignore NPM telling me I have 36 vulnerabilities?

fharper commented 5 years ago

We are looking at updating some of the dependencies.

eric-holmes commented 5 years ago

Any movement on this @fharper ? I'm only seeing one vulnerability, specifically with yargs has several releases since v11 as used in this. :)

fharper commented 5 years ago

@ewholmes : worst case, by the end of the week I'll merge a PR.

fharper commented 5 years ago

My modifications were merged, I'll also release a new version of npx.