What I Wanted to Do
I am using hippie in one of my repos. Installing it yields a vulnerability warning in the console.
My goal is to get rid of those vulnerability warnings for gaining trust rgd trust #security ¯\_(ツ)_/¯
I learned that the dependency of node-gyp is causing this issue. You might want to upgrade to
What Happened Instead
I got the vulnerability warning
- set up a repo with firstname.lastname@example.org as a dependency
- run npm install
- see the vulnerability report
Then, if you do
npm audit fix and check the diff afterwards, you’ll see that email@example.com is causing ta to be included at version 2.x which is causing trouble. If you update node-gyp@latest this should be mitigated.
└─┬ firstname.lastname@example.org └─┬ email@example.com └─┬ firstname.lastname@example.org └─┬ email@example.com └── firstname.lastname@example.org
$ npm -v 6.9.0 $ node -p process.platform linux