Not saying you must do anything :)
I totally get your point with dev reps. Snyk, for instance, will omit the dev deps by default when scanning. However, you can change that if you like.
On the 100% commit. This is true! But I assume you have tests in place that will cover the critical paths at the very least. However, when a dependency has vulns, you should IMO switch to a fixed version (or another library) and adapt the rest of your application.
Either way, having a solid dependency management strategy in place is crucial.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Of course I want to update dependencies, but only if I 100% sure that the main code doesn't break.
Also, why would I update devDependencies, if it doesn't go into production, anyway?
Not saying you must do anything :)
I totally get your point with dev reps. Snyk, for instance, will omit the dev deps by default when scanning. However, you can change that if you like.
On the 100% commit. This is true! But I assume you have tests in place that will cover the critical paths at the very least. However, when a dependency has vulns, you should IMO switch to a fixed version (or another library) and adapt the rest of your application.
Either way, having a solid dependency management strategy in place is crucial.