Roots Discourse

How to deal with (GitHub) Security Alerts?

Currently GitHub Security Alerts gives a warning about the fstream and axios packages. Should I wait for Sage to update them (or the packages that depend on them) or should I update them myself? fstream is easily updateble as the packages that depend on it allow for a newer version of fstream to be installed, but axios seems to be locked on its specific version. Should I thus update the packages that depend on it?

Or does it not really matter and just keep it as is?

I would always bump up the dependency versions in my project. That obviously is not always easy or desired (for example upgrade from webpack3 to 4) but as long as the changes are not breaking or easy to maintain I am always updating everything in my long term projects. I actually even updated some of the projects to webpack4 but they do not resemble sage too much anymore.