[GitHub] [incubator-superset] robdiciuccio commented on pull request #10925: Update vulnerable packages identified by FOSSA

[GitBox <gi...@apache.org>]

robdiciuccio commented on pull request #10925:
URL: https://github.com/apache/incubator-superset/pull/10925#issuecomment-693868951


   Adding the dependency to the top level was the recommendation from FOSSA. I went down the rabbit hole of trying to update the transitive dependencies directly via `npm update --depth 1 prismjs` which worked to some extent, but didn't resolve all of the vulnerable version dependencies. Updating top level packages is required here, and even then there are nested dependencies still pointing to old versions.
   
   As a workaround for the failing builds, I've disabled security scanning in the FOSSA project, so it will be used only for license checking for the time being. Preset also uses Snyk for vulnerability management; we can continue to use this to identify and remediate package vulnerabilities (we have tickets open for updating affected packages).


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org