addressing accumulated security alerts on dependencies

[emiliom]

@BobTorgerson many dependency security alerts have accumulated on this software in the last 6 months, with a bunch of those labelled "high severity". Would you or @brucecrevensten have the bandwidth to see if any of them should be addressed?

Thanks!

[brucecrevensten]

Hi @emiliom thanks for putting this on our radar! We can definitely take a look. One thing to know, since this is a statically-deployed web app (i.e. not interactive and not managing user data on the server side), most of the security concerns tend to not apply. We'll put this in our roadmap for September.

[emiliom]

Good point. I guess the main concern is then damage to users via the client web app code.
Thanks.

[brucecrevensten]

Totally valid! I did check take a look at the current warnings and I'm not seeing anything that raises my hackles about client security. Most were either server-side only, or development only (runs when the site is built). The one which could potentially impact client security isn't in use in our codebase.

I think we're good here for now, but we will want to look at doing a full update of dependencies at some point for this app. Let me know if this is OK for you -- we can keep this issue open until we do a refresh.

[emiliom]

Sounds good to me. Thanks.