-
-
Notifications
You must be signed in to change notification settings - Fork 701
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Installing dependencies #2466
Comments
Hello, I do agree that it makes sense to update dependencies more regularly. The existence of a vulnerability in a dependency does not necessarily mean that we are affected - for example, many of our dependencies are used only in development to build the code. The first vulnerability in the audit report looks potentially applicable, but since we do not use electron-builder to generate the Windows installer, I believe we are not affected (source). I have upgraded some of the dependencies here, which addresses the top things in the list: b2c6cd7. The remaining issues identified by NPM are issues for which there doesn't seem to be an update to the top-level package available, and I don't believe we're affected by them also. Thanks for opening the security report; it's always best to open a report if there is a potential concern, since those go to the top of my inbox. Since a) you've already posted this issue publicly with the same information, and b) I don't believe there's a specific vulnerability to address, I'm going to close it and leave further discussion in this issue. |
Thanks, im new to npm and just started working with Min yesterday. I didn't know that some of them were only used for building in dev mode so i posted a security concern because its (like you said) always good to update dependencies. Some of the dependencies have just been renamed and i think it wold be good to use the newer versions if possible. im not super sure how to do any on that tho |
Yup, I don't want to discourage opening security reports, it's good to do if there's any possibility of an issue.
After my change in b2c6cd7; I don't think this is the case anymore - do you still see any where this is the case on the main branch? |
Security Issue and Error when installing dependencies for the developer version when on Linux, i get warnings saying that some of the dependencies are deprecated
The reason this is a problem is that using deprecated dependencies is bad and could lead to bugs and not working at all. This is also a big security issue because it usees outdated software
Some of the dependencies have been renamed and as you will see later it will be easy to fix
Min Version:
Operating system:
Expected Behavior
The expected behavior is for it to show no errors and install the needed dependencies
Actual Behavior
It shows many warnings,
When i run
npm install
(while in the main directory of min) i install all of the things i need but some of them are no longer being maintained.Output,
To Reproduce
The steps i too to show this is download the GitHub "Min" zip and extract it to a folder (in my case min-master) and using
npm install
to install the needed packages for the Development of min (i would like to help with min so i followed the Development instructions)In the
npm install
output is where the error was.Full Output
I will also be making a security issue because this is also a big security issue,
Npm Audit report
The text was updated successfully, but these errors were encountered: