Security is of the utmost importance to Netlify, so you might be wondering why npm audit on netlify-cli@8.6.1 produces output like
16 vulnerabilities (9 moderate, 7 high)
While npm developers had some great intentions when npm audit came into being, it’s actually not very helpful and tends to produce a lot of noise. Dan Abramov has a fairly succinct write-up of why the tool is broken (with plenty of discussion on Hacker News); in our context, it can best be summed up by saying that it’s hard to know which of the reported vulnerabilities are actually exploitable in the context of the CLI.
With that being said, we are continuously looking to reduce the number of dependencies (example PR) our CLI installs to limit attack vectors and, as of this writing, we’re in the process of converting the codebase to ES Modules to enable us to upgrade to the latest versions of our dependencies.
We use a shrinkwrap file, which means once we publish the CLI you’d always get the same dependencies when you install it using npm (with yarn you should use your own lock file). That pins the dependencies users get when installing the CLI, so they don’t implicitly get minor/patch updates due to semver ranges.
We highly encourage submitting any security issue you find by following our security policy.