Dependabot alerts
brunob opened this issue · 3 comments
brunob commented
@jieter for now we have 8 alerts on https://github.com/leaflet-extras/leaflet-providers/security/dependabot
I've fixed some of them by running npm update
, but the remaining alerts could not be fixed with npm audit
& npm audit --force
. Have you any advice on a way to fix this or should we dismiss theses alerts ?
brunob commented
FTR it seems to be related to mocha-chrome :
updater | INFO <job_450065555> The latest possible version that can be installed is 10.1.0 because of the following conflicting dependencies:
updater | <job_450065555>
updater | <job_450065555> mocha-chrome@2.2.0 requires yargs-parser@^10.0.0 via meow@5.0.0
updater | <job_450065555> mocha@10.0.0 requires yargs-parser@20.2.4
updater | <job_450065555> mocha@10.0.0 requires yargs-parser@^20.2.2 via yargs@16.2.0
updater | INFO <job_450065555> The earliest fixed version is 13.1.2.
updater | INFO <job_450065555> Finished job processing
https://github.com/leaflet-extras/leaflet-providers/security/dependabot/6/update-logs/266777016
jieter commented
I suspect these alerts are concerning our devDependencies
, not our runtime dependencies. So I'd say that dismissing them for now is OK.
brunob commented
I suspect these alerts are concerning our devDependencies
Exactly, i'll dismiss them :)