Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Warnings for Dependencies (Github + NPM) #271

Open
djsiroky opened this issue May 23, 2019 · 0 comments
Open

Security Warnings for Dependencies (Github + NPM) #271

djsiroky opened this issue May 23, 2019 · 0 comments
Assignees
@djsiroky
Labels
enhancement

Comments

@djsiroky
Copy link
Member

As I've been reviewing and testing in MC, both GitHub and NPM have been giving me security warnings. I spent a little time checking out the items NPM reported from running npm audit. They are:

  • Update socket.io to ^2.2.0 from ^1.4.6 See this comment about breaking changes, which do not appear to affect this repo
  • Replace jade with pug (jade is deprecated and pug is the next version of it)
  • Downstream upgrades to dependencies on eslint (a devDependency)
  • Bower update to ^1.8.8 from ^1.8.4

I've started implementing them on security-audit-fixes.

The items that GitHub is reporting are mostly client-side libraries that are actually being tracked by the repo and may warrant a whole other discussion on removing those.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@djsiroky djsiroky

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ksobon @djsiroky