spring-boot-reactjs-fullstack icon indicating copy to clipboard operation
spring-boot-reactjs-fullstack copied to clipboard
verified publisher icon nyakaz73

Security issues: Old dependencies

Open ArchibaldBienetre opened this issue 3 years ago • 3 comments

Hi!

First: Thank you soo much for this tutorial :bow:

As stated elsewhere, the repository has some issues with the modern Webpack 5 dependency (see my post here).

However, there is more than one reason to update it - the npm build reports 12 vulnerabilities (7 moderate, 5 high) for this repository.

Could you have a look? It's a beginner's tutorial, likely people put this into their projects, without much knowledge yet to fix these issues... please don't leave them with insecure software!

Thanks in advance :heart:

ArchibaldBienetre avatar Mar 24 '22 15:03 ArchibaldBienetre

Ok, there is a more up-to-date version of this repository. It has webpack 5 on board: https://github.com/nyakaz73/springboot-reactjs-fullstack/blob/master/package.json#L22..L23

I had overlooked it earlier, because the spelling differs from this repository (spring-boot vs springboot...).

ArchibaldBienetre avatar Mar 29 '22 11:03 ArchibaldBienetre

Hi @ArchibaldBienetre thanks for the feedback, you could kindly create a PR to this repo , with the updated versions if that is okay with you.

nyakaz73 avatar Mar 29 '22 13:03 nyakaz73

Sorry for the delay, I was struggling to get up to speed on any things react at work. I now feel decently proficient and confident to fix this project.

I may have some time today, but I'm not sure.

Meanwhile, I also learned that one should take the default vulnerability output with a pinch of salt. https://overreacted.io/npm-audit-broken-by-design/

ArchibaldBienetre avatar Jun 04 '22 01:06 ArchibaldBienetre