npm audit security report: several vulnerabilities found

[RosarioAleCali]

Running npm audit outputs the following:

It actually outputs more vulnerabilities but they are all related to static-eval.
Is this something that can be fixed for the next version?

[etpinard]

see #2386 (comment)

[etpinard]

and scijs/cwise#21 which unfortunately breaks plotly.js bundling.

[RosarioAleCali]

Okay, do you see a fix for it in the foreseeable future?

[etpinard]

As this issue only potentially affects plotly.js users that build their custom bundles that include gl3d trace types (which is a fairly low % of our users), no plotly.js team member will spend time on this in the short term.

[RosarioAleCali]

Ok, then I will close this issue.

[Queatz]

We're trying to make Plot.ly pass CI - is there a way to disable "custom bundles that include gl3d trace types" so that the vulnerabilities go away?

[antoinerg]

@Queatz it should be possible to require only what you need. Please see https://github.com/plotly/plotly.js/#modules for details