Dependency Vulnerabilities #555
Comments
|
I'll take a look. We certainly don't need/want bower. |
|
OK, so the issue here is simply that our npm module is out of date. I've updated our @modeswitch can you please update the version in |
|
@humphd Yeah, I can republish. |
|
Fixed in #563 |
|
Let's deal with #566 before people upgrade their code. |
|
All the various work that was blocking this has been cleared, and I think it's now safe to update what's on npm. It's a big update, so we'll need to figure out the version number, write the changelog so people make changes to use new/updated API, and I might try to get the npm deploy happening via travis automatically on tagging. |
|
#404 for the deploy automation. |
|
Fixed, see https://github.com/filerjs/filer/releases. NOTE: I've done a major version bump here because we landed so much, and I know that some of it will be breaking. Having said that, I also know that data loss won't be an issue, we have migration tests for this now (which is what took me so long to get this done!). Please file bugs on anything you find, I'm going to be moving on this again in the new year, and already have some more to ship. |
As of NPM@6 and NPM's acquisition of the Node Security Platform, package vulnerabilities are now displayed upon install of the package. When installing filerjs, I noticed a few red flags that discouraged me from using it. 1) The first print from to the command line after running install is:
npm WARN deprecated bower@1.3.12: We don't recommend using Bower for new projects. Please consider Yarn and Webpack or Parcel. You can read how to migrate legacy project here: https://bower.io/blog/2017/how-to-migrate-away-from-bower/and 2) upon installation I found that it contains 29 vulnerabilities (5 low, 19 moderate, 4 high, 1 critical).npm auditreport and you'll notice all the issues are from the Bower package and it's dependencies.I propose there be a change of bundlers from Bower to Yarn using the migration listed in the Bower blog post, as this is the easiest fix.
As I am currently working on my own project that has a very strict deadline, and while I would like to use filer to speed up my development, I cannot use it in my own project if there are package dependencies, nor can I work on a fix for this project at the moment because of my own project's priority.
I hope someone can work on this soon so I can implement Filer, but otherwise it will have to wait until I finish the work I've already begun. I just hope that putting this here can start a thread about vulerabilities in this project, that can also be referenced at future dates. Hope to hear some good news soon and all the best until then!
The text was updated successfully, but these errors were encountered: