Security vulnerability in dependency preventing on-boarding latest version to enterprise npm registry

Question

Security vulnerability in dependency preventing on-boarding latest version to enterprise npm registry

ashishpadman opened this issue 4 years ago · 2 comments

There are security vulnerabilities for the npm package serialize-javascript@1.9.1 as listed below -

This package is a dependency of uglifyjs-webpack-plugin package in the latest qdt-components dependency list.

We are stuck at qdt-components@1.3.13 in our corporate npm registry because of this as it refuses to onboard a package with a high vulnerability dependency .Is it possible to remove uglifyjs-webpack-plugin as a dependency?

Note - uglifyjs-webpack-plugin should be a dev dependency , I don't understand why it is added as a direct dependency?

Answer 1 · 2020-09-14T17:40:27.000Z

Thank you.

Moved to dev

3.0.0-beta.22

Answer 2 · 2020-09-15T11:11:10.000Z

Thank you. When will this be released to the master branch? Unfortunately, the automated procurement tool in the company only picks up from master branch releases