I’ve been wondering, whats the best way to fix GitHub security advisories on a sage project? I don’t even know what most of them are for, they are all nom packages. How does one go about updating the packages in a sage project to address the security issues?
In a vanilla Sage install you can probably safely ignore most of them: Sage out-of-the-box uses 90% of the npm packages it installs for the build process, and most security issues that GitHub flags have to do with scripts that are out in the wild interacting with users and servers–things the Sage scripts will never do.
Usually the security advisories will give you some advice on how to address them, i.e. “Update Script X to at least version 2.3.5” so you can always do that–frequently (IME) the packages in question have released a bugfix update to address the issue, so you don’t need to worry too much about them breaking anything. If it’s something deep in the dependency tree that may be harder. IIRC though the advisories will also usually tell you what the security problem with the script is, and you can evaluate whether or not that vulnerability is actually applicable to your use case.