viewer-components-react icon indicating copy to clipboard operation
viewer-components-react copied to clipboard
verified publisher icon iTwin

Setup individual audit

Open hl662 opened this issue 1 year ago • 2 comments

This config means the pnpm audit task in the repo only runs against the root lockfile, not invidivual lockfiles across the monorepo.

(At time of writing) We have 63 high vulnerabilities and 1 critical to fix.

hl662 avatar Mar 14 '25 18:03 hl662

Every package has multiple high vulnerabilities, I would suggest tackling each package's vulns in its own separate PR...

hl662 avatar Mar 14 '25 18:03 hl662

Running pnpm up -r from the root updates the deps across the entire monorepo, then running audit across each pkg reports less errors than before, for some pkgs completely resolves them.

But the following pkgs still have cves that need to be resolved:

  • @itwin/grouping-mapping-widget
  • @itwin/one-click-lca-react
  • @itwin/reports-config-widget-react

fyi @arnobmallickbsw @itwin/insights-and-reporting-platform

aruniverse avatar Mar 14 '25 18:03 aruniverse