-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[project] Unused npm-watch dependency #200
Comments
Depends too on |
Just wanted to give support to this issue, as |
|
This shouldn't be too big of a deal, since it's just a dev dependency and it's of moderate vulnerability, not high, but I thought I might as well after fixing the high severity vulnerabilities [semver versions 7.0.0-7.5.2 are vulnerable](GHSA-c2qf-rxjj-qqgw) - Dev dependency @capacitor/assets 3.0.4 relies on @trapezedev/project 7.0.10 - [@trapezedev/project 7.0.10 relies on npm-watch ^0.9.0](https://github.com/ionic-team/trapeze/blob/main/packages/project/package.json), but it's not actually listed in the [lockfile](https://github.com/ionic-team/trapeze/blob/main/packages/project/package-lock.json). There's no more recent version of @trapezedev/project. [An issue has been raised](ionic-team/trapeze#200) - [npm-watch 0.12.0+ is required for nodemon 3.0.0+](https://github.com/M-Zuber/npm-watch/releases/tag/v0.12.0) - [nodemon 3.0.0+ is required for simple-update-notifier 2.0.0+](https://github.com/remy/nodemon/releases/tag/v3.0.0) - [simple-update-notifier 2.0.0+ is required for the patched semver 7.5.3+](https://github.com/alexbrazier/simple-update-notifier/releases/tag/v2.0.0) While we await an upstream fix in @capacitor/assets and @trapezedev/project, we can override the dependency. The tests all pass with this change, and the web server seems to run fine locally. That said, it looks like Capacitor is used for the Android and iOS versions of the app, and I haven't got those running locally (the `npm run ios-live-reload` and `npm run android-live-reload` fail on both `main` and this branch for various reasons)
This shouldn't be too big of a deal, since it's just a dev dependency and it's of moderate vulnerability, not high, but I thought I might as well after fixing the high severity vulnerabilities [semver versions 7.0.0-7.5.2 are vulnerable](GHSA-c2qf-rxjj-qqgw) - Dev dependency @capacitor/assets 3.0.4 relies on @trapezedev/project 7.0.10 - [@trapezedev/project 7.0.10 relies on npm-watch ^0.9.0](https://github.com/ionic-team/trapeze/blob/main/packages/project/package.json), but it's not actually listed in the [lockfile](https://github.com/ionic-team/trapeze/blob/main/packages/project/package-lock.json). There's no more recent version of @trapezedev/project. [An issue has been raised](ionic-team/trapeze#200) - [npm-watch 0.12.0+ is required for nodemon 3.0.0+](https://github.com/M-Zuber/npm-watch/releases/tag/v0.12.0) - [nodemon 3.0.0+ is required for simple-update-notifier 2.0.0+](https://github.com/remy/nodemon/releases/tag/v3.0.0) - [simple-update-notifier 2.0.0+ is required for the patched semver 7.5.3+](https://github.com/alexbrazier/simple-update-notifier/releases/tag/v2.0.0) While we await an upstream fix in @capacitor/assets and @trapezedev/project, we can override the dependency. The tests all pass with this change, and the web server seems to run fine locally. That said, it looks like Capacitor is used for the Android and iOS versions of the app, and I haven't got those running locally (the `npm run ios-live-reload` and `npm run android-live-reload` fail on both `main` and this branch for various reasons)
This shouldn't be too big of a deal, since it's just a dev dependency and it's of moderate vulnerability, not high, but I thought I might as well after fixing the high severity vulnerabilities [semver versions 7.0.0-7.5.2 are vulnerable](GHSA-c2qf-rxjj-qqgw) - Dev dependency @capacitor/assets 3.0.4 relies on @trapezedev/project 7.0.10 - [@trapezedev/project 7.0.10 relies on npm-watch ^0.9.0](https://github.com/ionic-team/trapeze/blob/main/packages/project/package.json), but it's not actually listed in the [lockfile](https://github.com/ionic-team/trapeze/blob/main/packages/project/package-lock.json). There's no more recent version of @trapezedev/project. [An issue has been raised](ionic-team/trapeze#200) - [npm-watch 0.12.0+ is required for nodemon 3.0.0+](https://github.com/M-Zuber/npm-watch/releases/tag/v0.12.0) - [nodemon 3.0.0+ is required for simple-update-notifier 2.0.0+](https://github.com/remy/nodemon/releases/tag/v3.0.0) - [simple-update-notifier 2.0.0+ is required for the patched semver 7.5.3+](https://github.com/alexbrazier/simple-update-notifier/releases/tag/v2.0.0) While we await an upstream fix in @capacitor/assets and @trapezedev/project, we can override the dependency. The tests all pass with this change, and the web server seems to run fine locally. That said, it looks like Capacitor is used for the Android and iOS versions of the app, and I haven't got those running locally (the `npm run ios-live-reload` and `npm run android-live-reload` fail on both `main` and this branch for various reasons)
GitLab detects this as high severity risk!
I really think you should upgrade or remove that package. If this isn't done after one year (even when receiving PRs, the project seems abandoned, which would be a sad for the whole Ionic community. To still be compliant we overrule the dependency in the
|
The
@trapezedev/project
depends onnpm-watch
but it seems not to be used anywhere.npm-watch
seems not to be regularly mantained.npm-watch
depends onnodemon@^2.0.7
(06/01/2021).Right now nodemon is 3.0.1.
On an
npm audit fix
it raises aSeverity: moderate
Maybe this dependency could be removed if not used anywhere.
The text was updated successfully, but these errors were encountered: