Investigate Github security warnings for NPM packages
Opened this issue · 2 comments
mekane commented
Gordon reported some security warnings when he pushed to master. Need to look through these and see which ones might impact the project.
https://basecamp.com/1835867/projects/15140514/messages/77113404
mekane commented
The plan, as discussed with @BrianWalters :
- Fix package-lock.json
- "Shrink-wrap" / snapshot the production node_module (so we are confident we can revert / re-create the production setup)
- Make an "experimental" branch to systematically upgrade packages and make sure that each update works. (update one at a time, test rigorously, commit after each so that there is always a maximum of one undo to get back to a working state)
- See if there are any leftover security warnings after updating packages
- Look into updating the Node version, try this on the devel server
mekane commented
- Brian has fixed the package-lock issues
- I put this on a branch called node-modules-freeze
- Brian is working on this. We have removed nearly all of the security warnings
- The one or two that are left are marked as low impact and are for development tools, so we do not believe they require addressing.
- Still TODO