Dependabot alerts

Question

Dependabot alerts

brunob opened this issue 2 years ago · 3 comments

@jieter for now we have 8 alerts on https://github.com/leaflet-extras/leaflet-providers/security/dependabot

I've fixed some of them by running npm update, but the remaining alerts could not be fixed with npm audit & npm audit --force. Have you any advice on a way to fix this or should we dismiss theses alerts ?

Answer 1 · 2022-08-31T14:41:55.000Z

FTR it seems to be related to mocha-chrome :

updater | INFO <job_450065555> The latest possible version that can be installed is 10.1.0 because of the following conflicting dependencies:
updater | <job_450065555> 
updater | <job_450065555>   mocha-chrome@2.2.0 requires yargs-parser@^10.0.0 via meow@5.0.0
updater | <job_450065555>   mocha@10.0.0 requires yargs-parser@20.2.4
updater | <job_450065555>   mocha@10.0.0 requires yargs-parser@^20.2.2 via yargs@16.2.0
updater | INFO <job_450065555> The earliest fixed version is 13.1.2.
updater | INFO <job_450065555> Finished job processing

https://github.com/leaflet-extras/leaflet-providers/security/dependabot/6/update-logs/266777016

Answer 2 · 2022-09-02T11:40:23.000Z

I suspect these alerts are concerning our devDependencies, not our runtime dependencies. So I'd say that dismissing them for now is OK.

Answer 3 · 2022-09-02T11:42:13.000Z

I suspect these alerts are concerning our devDependencies

Exactly, i'll dismiss them :)