riot upgrade to solve vulnerabilties

[the1mag]

In the builder container npm audit shows vulnerabilities for some packages under riot and suggests upgrading riot to resolve them. I have a tracking system that also shows additional packages under riot that have high warnings. Is upgrading to new versions of riot possible to solve these warnings? The frontend loads Riot.js 3.13.2 but will this be updated anytime?

[Didayolo]

Thank you for your message.

The upgrade to Riot 3.13.2 is part of the following pull request: #2200

It will probably be merged and deployed on production in approximatively two weeks.

[the1mag]

Hi, Thanks for the response. If package vulnerabilities still exist, is it a good idea to use a production overrides to disable the builder service so that the package vulnerabilities aren't exposed to production? If so, do you have any suggestions on the best way to implement this when deploying a new production server?

[ObadaS]

Hello, the builder still needs to do its job at least once every time you update the instance (just to make sure nothing is missing).
What you can do is to shut down the builder once you see in the logs that the job is done.