I'm working on a React application my agency recently picked up. The application has existed for ~2 years. I ran
npm audit last week and discovered the app has quite a few high-level security vulnerabilities.
Most of them are coming from
jest, a testing framework for React. We'll need to upgrade the package by a few major versions to resolve the vulnerabilities.
This could be a lot of work to take on right now, but I don't know if it should be a high priority. I'm not sure if this dependency has any impact on my app's security in production.
Are vulnerabilities from my testing framework a threat to my app in production?
Any advice would be appreciated! Thank you!