Snyk / npm install / audit alerts #933
Comments
kellylee-gds
added
🕔 Hours
|
Thanks for the high priority label. This one's just popped up as well, must be the weather for it! https://snyk.io/vuln/SNYK-JS-UAPARSERJS-610226 Edit - whoops I think that one is only showing up as I don't have a lock file committed (it's a transitive dep from browser-sync) |
|
thanks, are you getting gulp-sass come up too? https://snyk.io/test/github/alphagov/govuk-prototype-kit doesnt seem to be a fix for that one |
|
Yes I am. In other projects I've been able to swap that out for the reference dart sass https://www.npmjs.com/package/sass so it's a pure javascript implementation (which has in the past been handy doing dev / builds on windows, though I believe node-sass have sorted those problems now) I'd imagine a similar swap is non trivial for you here? iirc we made the change when the docs got updated https://frontend.design-system.service.gov.uk/installing-with-npm/#install-with-node-js-package-manager-npm after keeping an eye on alphagov/govuk-frontend#1683 |
|
ugh sorry you mentioned sass in the original post! Have opened an issue for it: #939 |
Hi
I've not looked into exactly how it is used in the kit, but snyk is flagging the "marked" dependency as follows, any chance of a major version upgrade?
Also are there any plans to swap out node-sass in favour of the javascript only sass? https://www.npmjs.com/package/sass
While this is just the prototype kit, and we'd catch any issues in any real apps in CI, I'm trying to train our team to always be mindful of npm / snyk warnings rather than just learning the behaviour of ignoring them! (i.e. read that line about request being deprecated and don't spend time implementing it only to have to rip it out later!)
many thanks
The text was updated successfully, but these errors were encountered: