-
-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub generates security alerts on yarn.lock for acorn and clean-css for fresh project generated by npx express-generator --view=pug
#258
Comments
It is likely these are dependencies of dependencies, etc. There may be some projects that need to be notified to update. If you think there is something the generator can do to resolve directly, please let us know and we can reopen. |
Thanks @dougwilson — |
Actually @dougwilson it turns out that the |
First, create a new GitHub repo with .gitignore set to Node.
Then run
npx express-generator --view=pug
and push the results:Back at GitHub, you'll see this:
Clicking the button to view alerts will show these two:
acorn
The acorn one seems to not even be automatically fixable:
Clicking the details link gives a short message entitled "Dependabot cannot update to the required version":
clean-css
Likewise, clean-css can't be fixed:
The details link shows the same short message as for acorn.
It's not immediately clear from looking at
yarn.lock
what the original dependencies even are, andacorn
andclean-css
are not present inpackage.json
, so they probably need to be manually traced. It's also not clear what the conflict is from the short message on GitHub.The text was updated successfully, but these errors were encountered: