Skip to content

Run npm audit fix for prod dependencies#38

Open
radu-matei wants to merge 1 commit intomainfrom
fix/npm-audit-fix
Open

Run npm audit fix for prod dependencies#38
radu-matei wants to merge 1 commit intomainfrom
fix/npm-audit-fix

Conversation

@radu-matei
Copy link
Copy Markdown
Member

@radu-matei radu-matei commented Oct 25, 2025

After this PR:

$ npm audit --omit dev
found 0 vulnerabilities

TODO for a follow up PR, since it would involve breaking changes to fix the dev dependencies:

$ npm audit --include dev
# npm audit report

nanoid  <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix --force`
Will install mocha@11.7.4, which is a breaking change
node_modules/nanoid
  mocha  8.2.0 - 10.5.2
  Depends on vulnerable versions of nanoid
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

serialize-javascript  6.0.0 - 6.0.1
Severity: moderate
Cross-site Scripting (XSS) in serialize-javascript - https://github.com/advisories/GHSA-76p7-773f-r4q5
fix available via `npm audit fix --force`
Will install mocha@11.7.4, which is a breaking change
node_modules/serialize-javascript

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

@radu-matei
Run npm audit fix for prod dependencies
90ddf88 
Signed-off-by: Radu Matei <radu@fermyon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fibonacci1729 fibonacci1729 fibonacci1729 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@radu-matei @fibonacci1729