Merge pull request #19 from badgerloop-software/fix/audit-vulnerabilities

sbasu107 · web-flow · commit c9ba2a6c95cf · 2026-04-03T04:15:00.000-05:00
fix(deps): resolve npm audit findings on Expo root
diff --git a/docs/chase-car-dashboard-git-subtree.md b/docs/chase-car-dashboard-git-subtree.md
@@ -54,3 +54,11 @@ rm -rf ../public/classic-dashboard && cp -a build ../public/classic-dashboard
 ## Force-push warning
 
 Rewriting `main` to insert this history retroactively would disrupt existing clones. New history was added on a dedicated branch with a merge that preserves upstream authors going forward.
+
+## npm audit / security note
+
+`classic-dashboard/` is a **separate Create React App** app (`react-scripts@4`). It has its **own** `package.json` and `node_modules` and is **not** installed when you run `npm install` at the repo root. Root-level `npm audit` therefore reflects **Expo / mobile** dependencies only.
+
+If you `cd classic-dashboard && npm install`, `npm audit` typically reports **many** findings (often **hundreds**), mostly from the old **webpack / webpack-dev-server / jest** stack pinned by CRA 4. Clearing them usually requires a **major upgrade** to `react-scripts@5` (breaking) or replacing the build toolchain. Many reported issues apply to **local dev** (`npm start`), not to the **static production build** copied into `public/classic-dashboard/`, which does not ship the dev server.
+
+For dependency hygiene on the classic tree, prefer fixing **upstream** `chase-car-dashboard` and then `git subtree pull`, or plan a dedicated CRA 5 / Vite migration in that repo.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -58,7 +58,7 @@
     "ws": "^8.20.0"
   },
   "overrides": {
-    "tar": ">=7.5.4"
+    "tar": ">=7.5.11"
   },
   "private": true,
   "expo": {
