Updating vulnerable packages!

Question

Updating vulnerable packages!

Closed this issue 2 years ago · 7 comments

We are using outdated versions of packages which, according to npm have 28 known security vulnerabilities.
8 moderate, 17 high, 3 critical vulnerabilties.
These packages should be updated.

Answer 1 · 2022-06-25T13:27:43.000Z

Npm gives info on that using npm audit

Answer 2 · 2022-06-25T13:46:45.000Z

Browserslist also reports on serve that it wants to be updated and recommends doing it:

Browserslist: caniuse-lite is outdated. Please run:
  npx browserslist@latest --update-db
  Why you should do it regularly: https://github.com/browserslist/browserslist#browsers-data-updating

Answer 3 · 2022-06-25T15:52:05.000Z

I ran npm audit fix which did a minor version update of the webpack-dev-server: f26c31f. Thanks, we should do this from time to time. The remaining security warnings seem to be due to the favicons (dev) dependency, but we already use the latest (non-beta) version of it, so I think there is nothing we need to do.

npx browserslist@latest --update-db

I did this but it only affects the package-lock.json file, which you want to remove? It also changes all the whitespace in package-lock.json so I do not feel like spending more time on this. Our package.json file does not include a browserslist section and there is no .browserslistrc file either, do we even use it?

Answer 4 · 2022-06-25T16:12:10.000Z

I did this but it only affects the package-lock.json file, which you want to remove?

well then browserslist is a dependency of something else and we are using a outdated version because this version specifically is defined because of the lockfile and it would download a up-to-date version automatically on a fresh install.

PS: Just tested, broweserslist doesn't complain when you do a npm install without the repo lockfile. So yes, its a package-lock issue too

Answer 5 · 2022-06-25T17:14:29.000Z

To me it looks like caniuse-lite is a dependency of something else and browserslist does not like the caniuse-lite version. But we do not even use browserslist, so I think this warning is just not an issue at all?

Answer 6 · 2022-06-25T18:37:47.000Z

I updated to react 18 and this also made the browserslist warning go away: 2364384

Answer 7 · 2022-06-25T18:42:12.000Z

Btw updating jest from 26 to 28 required adding the jest-environment-jsdom module, but even then I got setImmediate is undefined, maybe the same as discussed here: prisma/prisma#8558, so I just left it at 26 for now...