Reduce the number of reported vulnerabilities by `npm audit`
Background / User story
As we are gearing for the manifest v3 upgrade, we must understand that we are going to leave a chunk of our users without the ability to upgrade the extension (e.g. they are on managed machine and cannot upgrade chrome). It's important that we do our best to leave the MV2 extension in a state where it does not have glaring security gaps.
One way of doing this is bringing down the level of vulnerabilities reported by npm audit
. While npm audit
is far from perfect, and even sometimes downright useless, we do have 49 vulnerabilities (1 low, 14 moderate, 30 high, 4 critical)
currently reported by it, which is quite a lot for a project with a small number of dependencies.
Especially critical vulnerabilities should probably be adressed.
Dependency changes
TBD during the work: identify which dependencies are causing vulnerabilities and try to find a balance between fixing as many of them without having to change a lot (if any) code.
Integration changes
- Legal: (Link to JIRA ticket with Legal's approval)
-
Development:
npm audit
npm audit --fix
should already go a long way.
Hints for testers
There should be no change. Every npm script should still work and gitlab ci actions should still work.
Edit: The following dependencies had major version upgrade: xmldom, svgo, pngquant-bin and node-fetch
Things to tests:
- Unit tests are passing (xmldom)
-
npm run $ optimize
works for both svgs and pngs (svgo and pngquant-bin) - XTM scrips are still working in CI