Conversation
|
@jonw-cogapp somehow this got lost in the shuffle. Node-forge has been updated to 1.3.14 (needs to be >= 1.3.2) but I'm not really sure how we want to go about testing this. |
|
@andrewtf Seems like there's a lot of npm vulnerabilities in this repo. It seems like Fixing this here could be a can of worms, and I think directs effort into the wrong place. I'm not sure what / if any of the vulnarabilities are finding their way into bundled code (needs more time than I can give right here). There's only one component that needs external dependencies, which is Instead of continuing to support this repo, I think it's worth thinking about abandonning it and migrating the components we do use into the site. Probably a better use of our time, and tightens our control on this. With all that being said: I think the risk of their being something actually exploitable in this front-end code within the context that it runs to be very unlikely, so we could also de-prioritise this. |
I updated dependencies by running
npm updateand things were updated. I'm unclear on how we go about testing this so I'm kicking it over to @jonw-cogapp for his expert opinion.