first let me say sorry if this issue was answered lately - while I’m a regular Elm user I’m not really following the community here or elsewhere on a regular basis.
In the last couple of months the npm packages has seen really quite a few bit/security-rot.
I usually install elm and elm-format via
npm install --save-dev and our CI has the usual dependency scanners ready … which means that I have to dismiss quite a few critical or high alerts in the reports and honestly: it really rubs me the wrong way (it looks pathetic and it shows in the audits).
Sure I could build me a docker-image with the binaries preinstalled and circumvent this but that departs somewhat between our usual dev- and build-setup and this would be a last resort for me.
How are others here coping with this and is there any chance that someone with the needed access-rights would go and do some maintenance on the package?
Fun thing is that
npm audit wants to revert to
0.19.0 as this has fewer of the broken/insecure package-dependencies