Dependency Vulnerabilities

[alexpArtos]

When I clone the Doxity repository on a Windows machine and run npm install , I get this output:
(Note: I modified the compile target in package.json to work in Windows)

rmdir /q /s lib & node_modules.bin\babel src -d lib

src\bin\doxity.js -> lib\bin\doxity.js
src\build.js -> lib\build.js
src\compile\index.js -> lib\compile\index.js
src\compile\parse-abi.js -> lib\compile\parse-abi.js
src\compile\parse-asm.js -> lib\compile\parse-asm.js
src\compile\solc.js -> lib\compile\solc.js
src\constants.js -> lib\constants.js
src\develop.js -> lib\develop.js
src\helpers.js -> lib\helpers.js
src\index.js -> lib\index.js
src\init.js -> lib\init.js
src\publish.js -> lib\publish.js

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.1.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 4315 packages in 6.389s
found 308 vulnerabilities (292 low, 10 moderate, 5 high, 1 critical)
run npm audit fix to fix them, or npm audit for details

Could these references be updated in the repo?

[alexpArtos]

Does anyone out there have a similar problem? We would really like to use Doxity with our code, because it adds value to what we're doing, but we are wary of using it with a critical vulnerability around.
Is anyone else also affected by this, or does anyone have a workaround?

Thank you.

[alexpArtos]

To add some context to this.
Although my team would like to use Doxity for our development, we are probably not going to do it while those vulnerabilities persist, as one of them is critical.
I've traced it down to growl 1.9.2 being requested by a chain of dependencies that leads ultimately to solidity-parser 0.3.0, which is requested by the truffle-compile fork inside doxity.

trufflesuite/truffle-compile is now deprecated, and has been migrated to trufflesuite/truffle, which no longer uses solidity-parser. I tried changing my package.json locally to request the latest mocha package, which will pick the most recent growl and remove the vulnerability, but that creates repeated versions of mocha and growl, keeping the vulnerability in.

Any advice on how to fix this?
Thanks.

[roynalnaruto]

Hi @alexpArtos Please refer the doxity-latest branch

This will also work for truffle projects, with the latest version of solc (0.4.24).

As a guideline, please check how we have used doxity in this repository

Also please check my comment for steps on setting it up. Hope this helps