Koha/package.json
Owen Leonard 78bf5b3ec6
Bug 23025: security vulnerability detected in fstream < 1.0.12 defined in yarn.lock
This patch updates the version requirements for modules used by yarn.
Running "yarn upgrade" will upgrade the project's direct dependencies as
listed in package.json. However, the output of "yarn audit" will
identify more vulnerabilities with libraries further down the dependency
tree.

Adding a "resolutions" list in package.json seems to be the way to
include these upgrades in an installation.

After making these changes I ran "yarn install" and "yarn audit" again.
The audit reported no vulnerabilities.

Upgrading yarn.lock should allow for the installation of newer versions
of npm modules in new installations. I believe it is necessary to run
"yarn upgrade" on existing installations in order to bring dependencies
up to versions matching those on existing installations.

To test, run the yarn commands we use to compile SCSS in the staff
client and the opac:

yarn build
yarn build --view opac

They should complete without error.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
2019-11-27 11:30:17 +00:00

34 lines
794 B
JSON

{
"name": "koha",
"description": "Koha is distributed under the GNU GPL version 3 or later.",
"main": "gulpfile.js",
"directories": {
"doc": "docs",
"test": "test"
},
"dependencies": {
"gulp": "^3.9.1",
"gulp-autoprefixer": "^4.0.0",
"gulp-cssnano": "^2.1.2",
"gulp-sass": "^3.1.0",
"gulp-sourcemaps": "^2.6.1",
"gulp-util": "^3.0.8"
},
"devDependencies": {},
"scripts": {
"build": "node_modules/.bin/gulp build",
"css": "node_modules/.bin/gulp css",
"watch": "node_modules/.bin/gulp watch"
},
"repository": {
"type": "git",
"url": "git://git.koha-community.org/koha.git"
},
"resolutions": {
"minimatch": "^3.0.2",
"lodash": "^4.17.12",
"js-yaml": "^3.13.1"
},
"author": "",
"license": "GPL-3.0"
}