Github alert: "One of your dependencies has a security vulnerability"

Running

npm install --save-dev optimize-css-assets-webpack-plugin@5.0.1

and

npm install --save-dev webpack-cli@3.3.2

in the assets directory accomplishes the same thing - package.json:

{
  "repository": {},
  "license": "MIT",
  "scripts": {
    "deploy": "webpack --mode production",
    "watch": "webpack --mode development --watch"
  },
  "dependencies": {
    "phoenix": "file:../deps/phoenix",
    "phoenix_html": "file:../deps/phoenix_html"
  },
  "devDependencies": {
    "@babel/core": "^7.0.0",
    "@babel/preset-env": "^7.0.0",
    "babel-loader": "^8.0.0",
    "copy-webpack-plugin": "^4.5.0",
    "css-loader": "^2.1.1",
    "mini-css-extract-plugin": "^0.4.0",
    "optimize-css-assets-webpack-plugin": "^5.0.1",
    "uglifyjs-webpack-plugin": "^1.2.4",
    "webpack": "4.4.0",
    "webpack-cli": "^3.3.2"
  }
}

Phoenix doesn’t care about webpack - it just installs it as a convenience feature. Apart from maybe the channel and html helpers the JavaScript assets take on a life of their own after project creation.

5 Likes