Replies: 2 comments
-
|
We get this kind of issue/discussion at least 10-15 times per year, if you search for it you'll find many explanations we already gave. TLDR unless proven otherwise, those reported vulnerabilities are usually harmless, notably RegExp DOS vulnerabilities. If you see anything that looks more dangerous we'll take a look We are not fixing harmless vulnerabilities for the sake getting rid of the warning, in particular when some of them require upgrading dependencies and maybe require a breaking change. We don't want to spend days fixing a warning for which there's no attack vector. |
Beta Was this translation helpful? Give feedback.
-
I already searched the discussions, but there were not relevant references to 'vulnerabilities':
If you know they are harmless, sure, no problem. |
Beta Was this translation helpful? Give feedback.
-
I'm using 3.5.2 and each time I run
npm installI get a report about vulnerabilities; the suggestion to runnpm audit fixdid not help much, the high severity vulnerabilities are still there.I don't know what is the project policy towards such issues, in my other npm projects I generally try to address them.
Is there anything I should worry about?
Beta Was this translation helpful? Give feedback.
All reactions