-
Notifications
You must be signed in to change notification settings - Fork 28
Conversation
@FDiskas was there any critical vulnerabilities worth fixing? Otherwise I'm not sure that's needed at all |
Sure. Because its going to be installed on server. This is important in any case |
@FDiskas what were the vulnerabilities? are you sure the code they were in was actually used? (and not a build-time dependency as it is in ~95% of cases) |
Are you actually want me to reproduce the security issues? I'm not going do that. It's a good practice to keep your subdependencies up to date. Remember redoss example... Thous issues was fixed using |
@FDiskas definitely not asking to reproduce anything. |
So I removed most errors produced but used only in dev like
And it looks like it is used in production |
@FDiskas looks like it's just minimist (arg parsing) with prototype pollution issue. |
Why you against updating it? |
@FDiskas because if we want to update it - we need to do a new release. |
=== npm audit security report ===
found 0 vulnerabilities
in 331894 scanned packages