Sp-dev-docs: NPM 6 - Security audit and possible issues getting now reported

Thanks, Stefan, noted and acknowledge with the right people. Closing this one as there's really nothing precisely to be done right now as 6.0 is not yet supported. This helps though with heads-up on things to double check. Thanks for that.

Thank you @vesa. Blogged about it yesterday https://n8d.at/blog/npm-6-0-and-sharepoint-framework-security-reporting/
Will add a remark that it is not officially supported yet.

Just to clarify: this issue is not about using npm@6. It's about vulnerabilities in downstream packages used by SPFx. npm@6 makes the issues visible easily, but they are still there even if you use npm@5. Also, just because vulnerabilities are reported, it doesn't mean that they apply to how the affected packages are being used in the SPFx toolchain. Clarification on these issues might help avoid concerns from organizations using SPFx, especially when using npm@6 will become mainstream and these issues will be reported by default.

It isn't clear to me :

Are you saying that there is no security issues using these packages the way spfx does or it is unsure if there is security issues?

Thx.

The reported issues change regularly as packages are being updated new issues are being discovered so if you want to be sure that none of them affects your organization, you would have to evaluate your solution at the given point in time and lock its dependencies.

Issues that have been closed & had no follow-up activity for at least 7 days are automatically locked. Please refer to our wiki for more details, including how to remediate this action if you feel this was done prematurely or in error: Issue List: Our approach to locked issues