From a64a44fe41721be732b604005e2137c3cfac1575 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?L=C3=A1szl=C3=B3=20Monda?= Date: Sun, 18 Aug 2019 22:52:09 +0200 Subject: [PATCH] Update NPM_UPDATES.md --- NPM_UPDATES.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/NPM_UPDATES.md b/NPM_UPDATES.md index f1ba2dcd..f6323290 100644 --- a/NPM_UPDATES.md +++ b/NPM_UPDATES.md @@ -1,7 +1,8 @@ We get requests from time to time to update our NPM dependencies because they contain vulnerabilities according to `npm audit`. Such issues will be closed without further consideration due to the following reasons: -1. Often times, 3rd party packages are affected by vulnerabilities which we cannot fix. -2. We can't just blindly update all of the packages because that'd likely break Agent as it happened in the past. Each of the updates must be carefully tested, and we don't have the manpower to do it on a daily basis. -3. Sometimes `npm audit` signals false vulnerabilities. +1. Usually, the affected packages are not runtime dependencies of Agent, but devDependencies which are only needed for developing Agent. +2. Often times, 3rd party packages are affected by vulnerabilities which we cannot fix. +3. We can't just blindly update all of the packages because that'd likely break Agent as it has happened in the past. Each of the updates must be carefully tested, and we don't have the manpower to do it on a daily basis. +4. Sometimes `npm audit` signals false vulnerabilities. We routinely update our dependencies on a best effort basis.