Fix several npm audit warnings
What does this MR do?
This MR fixes several npm audit
warnings
Three warnings are still being reported by npm audit
:
# Run npm install --save-dev @angular/compiler-cli@9.1.2 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular/compiler-cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @angular/compiler-cli > chokidar > anymatch > micromatch > │
│ │ braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/786 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Cross-Site Scripting │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ bootstrap │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.4.1 <4.0.0 || >=4.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @universis/theme │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @universis/theme > bootstrap │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/891 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ protractor [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ protractor > optimist > minimist │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1179 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (2 low, 1 moderate) in 47305 scanned packages
The first one that refers to angular/compiler-cli@9.1.2
package cannot be applied due to angular version incompatibility.
The second one should be resolved by updating @universis/theme
.
protractor
warning is related to a prototype pollution with low severity.
Related issues and links
npm audit fix
updates @angular-devkit/build-angular
to version 0.13.10
which has a known bug while trying to build an angular with --source-map
flag.
Angular build Failing with “Data path '.sourceMap' should be object.”
So this MR changes heroku-postbuild
by removing --prod --source-map
flag.
"heroku-postbuild": "npm run ng -- build"
This removal affects active application configuration. Now application will try to load app.development.json
instead of app.production.json
. CI heroku pipeline may be failed due to this change.
Developer Checklist
-
I have successfully run the code of this merge request locally -
I have verified locally that my changes work for all necessary screen sizes -
I have tried out the changes of this MR with different users to identify bugs -
Coding is in progress, and I have marked the MR as WIP -
Coding is completed and the MR is ready for review -
My branch is up-to-date with the upstream master
branch -
My MR follows the contribution guidelines -
I have added a comment with screenshots of the code running locally
Tech review Checklist
Have you verified that what is supposed to happen, actually does, and what is not supposed to happen, indeed does not?
-
The MR accurately describes the changes and has a relevant title/description -
The MR does what it is supposed to according to its title, description and related issues/links -
I have successfully run the changes locally, and tried the new code
Overall review Checklist
-
The MR references related issues/MRs -
The MR provides links to screens and screenshots -
The commits of the MR describe the changes, have proper wording, and follow the guidelines -
I have successfully run the changes locally, and tried the new code -
The MR is ready for merge (rebased, commit squashed if needed, etc)