Package vulnerabilities
petripartanen opened this issue · comments
Cloned repo, run npm install, got:
> electron-builder install-app-deps
• electron-builder version=20.38.5
• loaded configuration file=package.json ("build" field)
• no native production dependencies
added 734 packages from 463 contributors and audited 2781 packages in 44.352s
found 112 vulnerabilities (60 low, 17 moderate, 35 high)
Result of running npm audit fix:
$ npm audit fix
added 1 package from 2 contributors, removed 3 packages and updated 18 packages in 7.871s
fixed 111 of 112 vulnerabilities in 2781 scanned packages
1 package update for 1 vulnerability involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
Seems like there was one low severity vulnerability left. Results of npm audit report:
$ npm audit
=== npm audit security report ===
# Run npm install --save-dev electron-builder@22.6.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron-builder [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ electron-builder > yargs > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 2797 scanned packages
1 vulnerability requires semver-major dependency updates.```