Updating package.json to remedy security vulnerability warnings. #153
Conversation
localredhead
commented
Jul 9, 2018
localredhead
commented
ghost
assigned 
- Karma is still presenting issues in version 2.0.4 and has known
vulnerabilities in log4js which is a sub-dependency of karma
localredhead
force-pushed
the
feature/update-dependencies-for-july
branch
from
0b92484 to
eb979ae
Compare
|
Karma is getting some timeouts 🤔 |
|
@c-castillo @localredhead I want to replace karma with jest at some point. It's much simpler to setup and run |
There was a problem hiding this comment.
@localredhead also update yarn.lock
Did you try doing a test build npm build to see if it builds fine?
|
@localredhead Lets see if changing the karma verion to a minor version release instead. Eg. 1.7.1 Make sure to run yarn as well to update I would like to get this in today |
|
I've checked all versions of Karma 1.7.1, 2.0.0, 2.0.2, 2.0.3, 2.0.4. All versions have issues, 1.7.1 being the worst (but has the same problems as 1.5.0). Log4j just released version 3.0.0 which should fix this issue. We need Karma to pull it in upstream and release 2.0.5 with the package updates. It looks like another day or two and it will be ready |
- should resolve security audits
|
I updated Karma to the commit against their master that fixes the security issues. === npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ publish-release [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ publish-release > inquirer > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ publish-release [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ publish-release > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
[!] 2 vulnerabilities found - Packages audited: 11670 (11443 dev, 500 optional)
Severity: 2 Low |
|
@c-castillo @localredhead this is still failing. Any news on it? |
|
@pelle Karma update doesn't prevent the karma CI to fail. I will continue debugging this to see if we can get to a solution |
|
Closing this. We've solved it by removing Karma in favor of Jest. |
