Investigate Github security warnings for NPM packages

Question

Opened this issue 6 years ago · 2 comments

Gordon reported some security warnings when he pushed to master. Need to look through these and see which ones might impact the project.

Answer 1 · 2018-06-20T20:16:58.000Z

The plan, as discussed with @BrianWalters :

Fix package-lock.json
"Shrink-wrap" / snapshot the production node_module (so we are confident we can revert / re-create the production setup)
Make an "experimental" branch to systematically upgrade packages and make sure that each update works. (update one at a time, test rigorously, commit after each so that there is always a maximum of one undo to get back to a working state)
See if there are any leftover security warnings after updating packages
Look into updating the Node version, try this on the devel server

Answer 2 · 2018-06-27T16:40:16.000Z

Brian has fixed the package-lock issues
I put this on a branch called node-modules-freeze
Brian is working on this. We have removed nearly all of the security warnings
The one or two that are left are marked as low impact and are for development tools, so we do not believe they require addressing.
Still TODO