Ran the new 'npm audit' and updated some of the packages that are mentioned. #298
Conversation
Updated with package additions
Updates to README
|
@h3poteto Having checked: Because the fsevents package doesn't get installed on Linux, you can't set it to be ignored by the audit, with that command-line option. I've emailed npmj support, on the off-chance there's a way to get the audit process to ignore uninstalled optional dependencies, but whether they'll respond with anything more than an auto-response is anyone's guess. Hope this was helpful, let me know, either way (:* |
|
🙇 I'm sorry, I don' know how to ignore the fsevents. But, this change is good, so I'll merge. |
|
@h3poteto I got a response from npmjs support, you can turn auditing off completely, or off for installable packages on a per-package basis, but you can't turn off auditing for packages that are not installed. Oh well, it was worth a shot. Glad the PR helps (:* |
|
OK, I see, thank you. |
ghost
deleted the
@h3poteto I've managed to reduce the number of security vulnerabilities down to 58, from an original 78 or so that the audit reports. A lot (33) of the remaining ones occur in the fsevents package which is Mac only, so I've not been able to sort those out, since I'm on Linux, and the remainder are in upstream packages that have not themselves been updated to use newer versions of other packages, where a fix exists for the vulnerability.
The app compiles and runs fine, on Linux.
I think there's an option to turn off auditing on single packages, so I may use that with fsevents at my end so that those 33 disappear.
Hope this helps (:*