Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix most audit warnings #317

Merged
merged 4 commits into from
Aug 19, 2021
Merged

Fix most audit warnings #317

merged 4 commits into from
Aug 19, 2021

Conversation

bpinto
Copy link
Contributor

@bpinto bpinto commented Aug 14, 2021
edited
Loading

  • npm install: version attribute change on package-lock.json.
  • npm audit fix.

There are 5 remaining reported vulnerabilities to be fixed, these will be done separately as they might require code changes.

@Macil
Copy link
Collaborator

Macil commented Aug 15, 2021
edited
Loading

What version of npm are you using? With or without this PR, while using the latest npm 7.20.6, I get a lot of changes to the package-lock.json after running npm install. Could you make sure you're using the latest npm (npm i -g npm), and then entirely regenerate the package-lock.json (delete package-lock.json and node_modules and then run npm install again) so the package-lock exists in the latest format and pins the latest compatible version of everything?

@bpinto
Copy link
Contributor Author

bpinto commented Aug 15, 2021
edited
Loading

What version of npm are you using?

6.14.14

With or without this PR, while using the latest npm 7.20.6, I get a lot of changes to the package-lock.json after running npm install. Could you make sure you're using the latest npm (npm i -g npm), and then entirely regenerate the package-lock.json (delete package-lock.json and node_modules and then run npm install again) so the package-lock exists in the latest format

I'll do that. 👍 I don't think there is a way to specify a npm version to be used on a project, is there?

pins the latest compatible version of everything

Would you like me to pin it using a fixed version or ~ or ^ ? I have updated the minimum versions on package.json but kept the ^, let me know if you would like it different.

@bpinto bpinto mentioned this pull request Aug 15, 2021
Closed
@bpinto
npm install
4026b5c
@bpinto
lockfileVersion: 2
99f397d 
This file was generated with npm 7+.
@bpinto
npm audit fix
2d50219 
```
❯ npm audit fix
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)

added 5 packages, removed 30 packages, changed 34 packages, and audited 353 packages in 7s

pug  <3.0.1
Severity: high
Remote Code Execution - https://npmjs.com/advisories/1643
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/pug

1 high severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force
ERROR: 1
```
@bpinto
Update minimum versions
cb3a9a1
@Macil
Copy link
Collaborator

Macil commented Aug 15, 2021
edited
Loading

Would you like me to pin it using a fixed version or ~ or ^?

It wouldn't hurt but it's not necessary to manually update the package.json here (unless there are any major version upgrades that are intended to be pulled in here, which I don't think there are). Just running npm install without a package-lock.json will create a new one using the latest versions that are compatible with the ranges already present in package.json.

@Macil Macil merged commit 36e40b0 into kefirjs:master Aug 19, 2021
@bpinto bpinto deleted the fix-most-audit-warnings branch August 20, 2021 00:26
@bpinto bpinto mentioned this pull request Sep 9, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Macil Macil Macil approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@bpinto @Macil