Critical vulnerabilities in package-lock.json #29
Description
After committing the package-lock.json file (see #28), we get 8 alerts for vulnerabilities (see e.g. https://github.com/ChEB-AI/chebifier-web/security/dependabot/43)
js-yaml react-app/package-lock.json | Critical severity
uglify-js react-app/package-lock.json | Critical severity
minimatch react-app/package-lock.json | High severity
axios react-app/package-lock.json | High severity
jsonpath react-app/package-lock.json | High severity
react-router react-app/package-lock.json | High severity
qs react-app/package-lock.json | High severity
timespan react-app/package-lock.json | High severity
I tried resolving them by npm audit --force but somehow got even more vulnerabilities?
I then tried to align some versions manually and this is my best attempt so far:
Result: 23 vulnerabilities (22 high, 1 critical)
After running npm audit --force on this, I get 62 vulnerabilities (3 moderate, 59 high).
This requires further investigation by future me / someone else