Fix audit problems
annybs opened this issue · comments
I was able to use npm audit fix
to resolve several issues in f32a224 but there are more remaining that introduce breaking changes, which I've not had luck resolving today. My efforts are visible on the fix/npm-audit branch
In particular, to paraphrase from my notes on Discord: the major audit problems reside in dependencies of outdated versions of Vue CLI packages, which don't directly affect the wallet app, but are needed to run it. Upgrading Vue CLI involves upgrading the current v4.5 to v5, which is a breaking change because v5 drops Node polyfills. This means that the crypto
and stream
packages are no longer implicitly available. I attempted to resolve this by installing the corresponding browserify packages and adding them to webpack, but then found that Node's Buffer
is not implicitly available either, and browserifying that doesn't seem to provide full coverage, resulting in this error in the browser that precludes any usage of the crypto libs:
I timeboxed for this task and haven't managed to completely wrap it up, but because wallet is a clientside application, the real impact of remaining security advisories is very limited. As such, I am unassigning myself from this task and leaving it for the next viewer who fancies their chances.
An update to this issue after recent, tangential work. Merging #253 solves this problem: it replaces & updates several packages and swiftly bringing the number of audit issues down to almost zero. (Those remaining are to do with Tailwind and postcss, which we can't update or replace without a significant time allocation and thorough design review.)
While that PR is currently blocked, when resolved it will implicitly resolve this issue, so let's not undertake any further work directly for this issue.