Replies: 2 comments
-
|
Thanks for flagging this! A few important things to understand about those npm audit results: First — please don't run Second — the vast majority of those 23 vulnerabilities are in dev dependencies (Electron, Vite, testing tools) that are NOT included when you run OpenHamClock. They only exist in the development toolchain used to build the app. They don't ship in your running server and cannot be exploited on your Pi. For the production dependencies, here's the actual picture: • express v4 — has some known advisories, but we use helmet, rate limiting, CORS, and input validation on top of it. Express v5 is still very new and we'll evaluate it when the ecosystem catches up. npm audit is a useful tool, but it's notorious for false positives and conflating dev/production risk. A vulnerability in your test runner is not the same as a vulnerability in your web server. That said, we do take this seriously and will be reviewing and updating dependencies as part of our regular Tuesday release cycle. If you want the safest setup, just run OpenHamClock as-is from a clean 73 de K0CJH |
Beta Was this translation helpful? Give feedback.
-
|
@accius I would like to ask that we consider the following options.
|
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
After using npm audit fix --force on openhamclock running on my raspberry pi 4,
I am still seeing 23 vulnerabilities with 4 moderate and 19 high severity issues in the NPM packages used by openhamclock. Can this be addressed by the developers?
Beta Was this translation helpful? Give feedback.
All reactions