Security Warnings for Dependencies (Github + NPM)
Opened this issue · 0 comments
djsiroky commented
As I've been reviewing and testing in MC, both GitHub and NPM have been giving me security warnings. I spent a little time checking out the items NPM reported from running npm audit
. They are:
- Update
socket.io
to^2.2.0
from^1.4.6
See this comment about breaking changes, which do not appear to affect this repo - Replace
jade
withpug
(jade is deprecated and pug is the next version of it) - Downstream upgrades to dependencies on
eslint
(a devDependency) Bower
update to^1.8.8
from^1.8.4
I've started implementing them on security-audit-fixes.
The items that GitHub is reporting are mostly client-side libraries that are actually being tracked by the repo and may warrant a whole other discussion on removing those.