How to remove potential security vulnerabilities dependencies on github


i m facing this security vulnerability on my github repo . And here’s the link of my repo https://github.com/naima-shk/UDACITY-NANO-DEGREE/network/alerts.

That’s a private link. Nobody but you can see the contents.

You have over 1200 dependencies. One of them (probably many of them) has a security issue. If you click the “View security alerts” button you can see what security issues there are.

You might want to reduce your number of dependencies, regardless of the security concerns.

Why did you install an old version of create-react-app ? You’re inevitably going to get warnings about security vunerabilities, and if you blindly just update dependencies of create react app you are extremely likely to break things.

Just ignore the warnings (or install the current version of create react app rather than the one from last year)

Just for my own education, how common is 1200 dependencies with JavaScript/Web Dev? I’m used to the C world where we aggressively reduce the number of dependencies, chasing the 0 dependency holy grail.

@JeremyLT That’s npm for you. Its turtles all the way down.

The clone is from a repo that has not been updated in 3 years. So it’s pretty out of date.

You can run npm audit to see the vulnerabilities. Updating it is likely to break stuff but you can try running npm audit fix and see if it still works.

1 Like

Really common: need to bear in mind that a lot of those are development dependencies. It’s equivalent to, say, maybe all the llvm toolchain, with Node the thing that powers it? I think that’s a reasonable comparison. Not that this is still awful, but for different reasons (and ones I suspect are mirrored in C, or any language for that matter): it’s super complicated to set up a solid toolchain from scratch because there are so many moving parts, stuff breaks all.the.time.

(As an aside, Facebook are busy trying to build a tool called Rome, which is a single binary that lints, formats, compiles and bundles code – sincerely hope they manage it because that would remove most of the dependencies instantly)

React itself + the React DOM library are the only production dependencies, and React has [afaik] only two non-internal dependencies (an Object.assign polyfill + a tiny env var helper)

1 Like

That makes sense. I don’t like dependencies, but I tend to expect developers to run clang-tidy and clang-format to help QC their code. In that sense, my work doesn’t require LLVM but I expect developers to use its features. (Or at least to respect any errors LLVM tools find during CI)