first let me say sorry if this issue was answered lately - while I’m a regular Elm user I’m not really following the community here or elsewhere on a regular basis.
In the last couple of months the npm packages has seen really quite a few bit/security-rot.
I usually install elm and elm-format via npm install --save-dev and our CI has the usual dependency scanners ready … which means that I have to dismiss quite a few critical or high alerts in the reports and honestly: it really rubs me the wrong way (it looks pathetic and it shows in the audits).
Sure I could build me a docker-image with the binaries preinstalled and circumvent this but that departs somewhat between our usual dev- and build-setup and this would be a last resort for me.
How are others here coping with this and is there any chance that someone with the needed access-rights would go and do some maintenance on the package?
Fun thing is that npm audit wants to revert to 0.19.0 as this has fewer of the broken/insecure package-dependencies
The last time I looked (~6 months ago), I think only elm-review actually needs node and everything else (if you substitute elm-test-rs for elm-test) could hypothetically bypass using node/npm as fancy downloader for executables, and obviate the need to keep up with the dumpster fire in the future.
