In rc-1, as well as in rc-3, there are 10 security alerts as found by GitHub in package-lock.json. All that is being suggested is to increase the dependency versions to ones that have been patched against several security vulnerabilities. See attached screenshot for details.

CommentFileSizeAuthor
Screen Shot 2020-01-27 at 8.47.21 AM.png115 KBiankmcilwraith

Comments

iankmcilwraith created an issue. See original summary.

  • JFeltkamp committed 120e13f on 8.x-1.x 
    Issue #3109230 by iankmcilwraith: Security issues in package-lock.json
  • JFeltkamp committed 916e86f on 8.x-1.x
    Issue #3109230 by iankmcilwraith: Security issues in package-lock.json
  • JFeltkamp committed c9a5723 on 8.x-1.x
    Issue #3109230 by iankmcilwraith: Security issues in package-lock.json
jfeltkamp’s picture

jfeltkamp
Primary language German
Location Hamburg
commented
Version: 8.x-1.0-rc3 » 8.x-1.x-dev
Status: Active » Needs review

The the package.json, package-lock.json and webpack.config.js are just for maintaining the module and not for custom use.
But ok. I removed the package-lock.json and set it in .gitignore.

Fixed in 8.x-1.x and will be part of next RC.

jfeltkamp’s picture

jfeltkamp
Primary language German
Location Hamburg
commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.