As I've been reviewing and testing in MC, both GitHub and NPM have been giving me security warnings. I spent a little time checking out the items NPM reported from running npm audit. They are:
- Update
socket.io to ^2.2.0 from ^1.4.6 See this comment about breaking changes, which do not appear to affect this repo
- Replace
jade with pug (jade is deprecated and pug is the next version of it)
- Downstream upgrades to dependencies on
eslint (a devDependency)
Bower update to ^1.8.8 from ^1.8.4
I've started implementing them on security-audit-fixes.
The items that GitHub is reporting are mostly client-side libraries that are actually being tracked by the repo and may warrant a whole other discussion on removing those.
As I've been reviewing and testing in MC, both GitHub and NPM have been giving me security warnings. I spent a little time checking out the items NPM reported from running
npm audit. They are:socket.ioto^2.2.0from^1.4.6See this comment about breaking changes, which do not appear to affect this repojadewithpug(jade is deprecated and pug is the next version of it)eslint(a devDependency)Bowerupdate to^1.8.8from^1.8.4I've started implementing them on security-audit-fixes.
The items that GitHub is reporting are mostly client-side libraries that are actually being tracked by the repo and may warrant a whole other discussion on removing those.