npm: update devdependencies to remove low security alerts #697
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There were 2 low security alerts for a little more than a week that are linked to our devdependencies.
No urgency here as the risk for the RxPlayer is minimal. The alerts are:
acorn
which we do not use directlyanimist
, which is only used indirectly by karma - our integration and memory tests runner - and had thus few risks to impact the RxPlayer in any ways as well as no relation to our buildsThe alert for
animist
is still there. That module is a dependency of the now-abandonned optimist module, itself a dependency of karma-js.Karma-js has not yet resolved the problem but were alerted, and a PR is under way.