svelte-native icon indicating copy to clipboard operation
svelte-native copied to clipboard
verified publisher icon halfnelson

Insecure dependencies

Open craig-sparks opened this issue 3 years ago • 1 comments

Just went to install this to use it for a prototype, but when installing see several depreciated versions that reference security issues.

npm WARN deprecated [email protected]: Deprecated due to CVE-2021-21366 resolved in 0.5.0 npm WARN deprecated [email protected]: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0 npm WARN deprecated [email protected]: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

Is this project dead? There were others, but those seemed to be the worse of the bunch.

craig-sparks avatar May 24 '22 02:05 craig-sparks

Not sure where those dependencies are from.

A clean checkout of svelte-native gives 0 vulnerabilities in the svelte-native package when running npm audit. The the "demo" app/test project has a couple but these are in sub dependencies of postcss and karma which are dev time test time dependencies. I couldn't find any of the packages listed.

Could you give me more info on how you produced these warnings?

halfnelson avatar May 29 '22 02:05 halfnelson