Security Warnings for Dependencies (Github + NPM)

Question

Security Warnings for Dependencies (Github + NPM)

Opened this issue 5 years ago · 0 comments

As I've been reviewing and testing in MC, both GitHub and NPM have been giving me security warnings. I spent a little time checking out the items NPM reported from running npm audit. They are:

Update socket.io to ^2.2.0 from ^1.4.6 See this comment about breaking changes, which do not appear to affect this repo
Replace jade with pug (jade is deprecated and pug is the next version of it)
Downstream upgrades to dependencies on eslint (a devDependency)
Bower update to ^1.8.8 from ^1.8.4

I've started implementing them on security-audit-fixes.

The items that GitHub is reporting are mostly client-side libraries that are actually being tracked by the repo and may warrant a whole other discussion on removing those.