Picture of Jonas Jelinski
Reporting Vulnerabilities
by Jonas Jelinski - Thursday, 4 May 2023, 12:00 PM

I made an npm audit.

Results: 30 vulnerabilities (1 low, 7 moderate, 14 high, 8 critical)

npm audit fix --force did not solve the problem.

How do I report them? How do I get instructions how to get rid of them?

Picture of Oliver Foster
Re: Reporting Vulnerabilities
by Oliver Foster - Thursday, 4 May 2023, 12:55 PM

Ok. I'm going to try to convince you to not worry about it, in the knowledge that this conversation usually goes down badly.

Those are warnings, you'll need to read and understand the bugs from which they originate to ascertain if they apply in this context. The dependencies from which these warnings originate are specifically for the build tools of the adapt framework, they do not apply to the product, a finished course. The reason why they can't be automatically fixed using the package manager is that some of the secondary and tertiary dependencies we use are no longer actively maintained or have conflicting version numbers due to API changes that we don't have control over. It's much more complicated than seeing a warning and believing it needs fixing. 

Why do you need to have them fixed?

Picture of Jonas Jelinski
Re: Reporting Vulnerabilities
by Jonas Jelinski - Monday, 7 August 2023, 10:02 AM

Hi Oliver,

thank you for your answer.

"Why do you need to have them fixed?"

I just try to follow the rule "security by design" in any of my programming.

Thank you for helping me on this one!

Have a great week!