Apologies if this is really simple, I really don't understand the fundamentals involved here.
I recently got a string of emails from GitHub letting me know that there were security vulnerabilities in my package-lock.json files, but since I do not actually have any packages in my package.json files (except parcel bundler, which was auto generated?), I wasn't sure if that was an issue. The only reason either file exists is because I used the Webstorm HTML5-Boilerplate template for the project, which auto generated them.
This is the entirety of my package.json file.
{
"name": " ",
"version": "0.0.1",
"description": "",
"keywords": "",
"license": "",
"author": "",
"scripts": {
"build": "parcel build index.html",
"dev": "parcel index.html --open",
"start": "npm run build && npm run dev",
"test": "echo \"Error: no test specified\" && exit 1"
},
"devDependencies": {
"parcel-bundler": "^1.12.4"
}
}
To the best of my knowledge the only other external code used is jsdelivr and two research scripts, jquery and proliferate; none of these are raising any flags on GitHub.
Are there vulnerabilities simply by virtue of having outdated packages in package-lock.json even if they are never used? Should I just delete the files or is there a better solution?
The only real bug fix I've tried so far is generating a new HTML5-Boilerplate template using Webstorm to see if it had updated the package-lock, but that didn't do anything.
