https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2363956#M34674 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/256692">@jay-jay</a>&nbsp;,</P> <P>&nbsp;</P> <P>1.&nbsp;</P> <P>There are some requirements and tests before&nbsp;a Power BI visual certified.</P> <P>You may refer to the blogs as below.</P> <P>For reference:</P> <P><A href="https://docs.microsoft.com/en-us/power-bi/developer/visuals/submission-testing" target="_self">Test a Power BI visual before submitting it</A></P> <P><A href="https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified#certification-requirements" target="_self">Certification requirements</A></P> <P>2.</P> <P><SPAN>This PR enables using the existing&nbsp;</SPAN><CODE>--production</CODE><SPAN>&nbsp;flag when running&nbsp;</SPAN><CODE>npm audit</CODE><SPAN>. Using this flag will ignore dev dependencies when assigning the&nbsp;</SPAN><CODE>requires</CODE><SPAN>&nbsp;constant that is passed to&nbsp;</SPAN><CODE>audit.generate</CODE><SPAN>.</SPAN></P> <P><SPAN>For reference:&nbsp;<A href="https://github.com/npm/cli/pull/202" target="_self">Enable production flag for npm audit</A></SPAN></P> <P>&nbsp;</P> <P>Best Regards,<BR />Rico Zhou</P> <P>&nbsp;</P> <P>If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.</P> Mon, 28 Feb 2022 08:06:55 GMT Anonymous 2022-02-28T08:06:55Z https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2361263#M34636 <P>Hi,</P><P>I <SPAN>cloned a certified visual object code to add some modifications. In the github repo there are no vulnerabilities reported but when I install (through npm i) the necessary packages "npm audit" command finds some vulnerabilities.</SPAN></P><P><SPAN>I read <A title="github post" href="https://github.com/microsoft/PowerBI-visuals-tools/issues/383" target="_self"><U><EM>https://github.com/microsoft/PowerBI-visuals-tools/issues/383</EM></U></A>&nbsp;that the right command to check vulnerabilities on visual is "npm audit --production", beacause it does not consider devDependencies.</SPAN></P><P><SPAN>So I have 2 questions:</SPAN></P><DIV><SPAN>- Is the certified visual object&nbsp;continuously&nbsp;checked? </SPAN></DIV><DIV><SPAN>- Can I use the object without security issues?</SPAN></DIV><DIV><SPAN>Thanks,</SPAN></DIV> Fri, 25 Feb 2022 13:43:13 GMT https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2361263#M34636 jay-jay 2022-02-25T13:43:13Z https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2363956#M34674 <P>Hi&nbsp;<a href="https://community.fabric.microsoft.com/t5/user/viewprofilepage/user-id/256692">@jay-jay</a>&nbsp;,</P> <P>&nbsp;</P> <P>1.&nbsp;</P> <P>There are some requirements and tests before&nbsp;a Power BI visual certified.</P> <P>You may refer to the blogs as below.</P> <P>For reference:</P> <P><A href="https://docs.microsoft.com/en-us/power-bi/developer/visuals/submission-testing" target="_self">Test a Power BI visual before submitting it</A></P> <P><A href="https://docs.microsoft.com/en-us/power-bi/developer/visuals/power-bi-custom-visuals-certified#certification-requirements" target="_self">Certification requirements</A></P> <P>2.</P> <P><SPAN>This PR enables using the existing&nbsp;</SPAN><CODE>--production</CODE><SPAN>&nbsp;flag when running&nbsp;</SPAN><CODE>npm audit</CODE><SPAN>. Using this flag will ignore dev dependencies when assigning the&nbsp;</SPAN><CODE>requires</CODE><SPAN>&nbsp;constant that is passed to&nbsp;</SPAN><CODE>audit.generate</CODE><SPAN>.</SPAN></P> <P><SPAN>For reference:&nbsp;<A href="https://github.com/npm/cli/pull/202" target="_self">Enable production flag for npm audit</A></SPAN></P> <P>&nbsp;</P> <P>Best Regards,<BR />Rico Zhou</P> <P>&nbsp;</P> <P>If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.</P> Mon, 28 Feb 2022 08:06:55 GMT https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2363956#M34674 Anonymous 2022-02-28T08:06:55Z https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2367349#M34705 <P>I read the documentation about certification requirements and one requirement is "the visual must not have vulnerabilities", but it is not guaranteed the visual will not have some in the future.</P><P>I&nbsp;cloned the chicletSlicer code from github. The visual is developed with an old version of powerbi-visuals-tools: "npm i" finds some vulnerabilities, on the contrary "npm i --production" doesn't find anything (all packages are in devDependencies). So can I suppose there are not vulnerabilities when I build the component through "pbiviz package" or do I have to set some configuration files?</P> Tue, 01 Mar 2022 12:49:36 GMT https://community.fabric.microsoft.com/t5/Developer/Visual-Object-node-modules-vulnerabilities/m-p/2367349#M34705 jay-jay 2022-03-01T12:49:36Z