i just ran:
lein new luminus dangerp +postgres +reagent +auth
and got:
(defproject dangerp "0.1.0-SNAPSHOT"
:description "FIXME: write description"
:url "http://example.com/FIXME"
:dependencies [[buddy "2.0.0"]
[ch.qos.logback/logback-classic "1.2.3"]
[cheshire "5.8.1"]
[cljs-ajax "0.8.0"]
[clojure.java-time "0.3.2"]
[com.cognitect/transit-clj "0.8.313"]
[conman "0.8.3"]
[cprop "0.1.14"]
[funcool/struct "1.4.0"]
[luminus-jetty "0.1.7"]
[luminus-migrations "0.6.5"]
[luminus-transit "0.1.1"]
[luminus/ring-ttl-session "0.3.3"]
[markdown-clj "1.10.0"]
[metosin/muuntaja "0.6.4"]
[metosin/reitit "0.3.9"]
[metosin/ring-http-response "0.9.1"]
[mount "0.1.16"]
[nrepl "0.6.0"]
[org.clojure/clojure "1.10.1"]
[org.clojure/clojurescript "1.10.520" :scope "provided"]
[org.clojure/tools.cli "0.4.2"]
[org.clojure/tools.logging "0.4.1"]
[org.postgresql/postgresql "42.2.6"]
[org.webjars.npm/bulma "0.7.5"]
[org.webjars.npm/material-icons "0.3.0"]
[org.webjars/webjars-locator "0.36"]
[reagent "0.8.1"]
[ring-webjars "0.2.0"]
[ring/ring-core "1.7.1"]
[ring/ring-defaults "0.3.2"]
[selmer "1.12.12"]]
:min-lein-version "2.0.0"
:source-paths ["src/clj" "src/cljs" "src/cljc"]
:test-paths ["test/clj"]
:resource-paths ["resources" "target/cljsbuild"]
:target-path "target/%s/"
:main ^:skip-aot dangerp.core
:plugins [[lein-cljsbuild "1.1.7"]]
:clean-targets ^{:protect false}
[:target-path [:cljsbuild :builds :app :compiler :output-dir] [:cljsbuild :builds :app :compiler :output-to]]
:figwheel
{:http-server-root "public"
:server-logfile "log/figwheel-logfile.log"
:nrepl-port 7002
:css-dirs ["resources/public/css"]
:nrepl-middleware [cider.piggieback/wrap-cljs-repl]}
:profiles
{:uberjar {:omit-source true
:prep-tasks ["compile" ["cljsbuild" "once" "min"]]
:cljsbuild{:builds
{:min
{:source-paths ["src/cljc" "src/cljs" "env/prod/cljs"]
:compiler
{:output-dir "target/cljsbuild/public/js"
:output-to "target/cljsbuild/public/js/app.js"
:source-map "target/cljsbuild/public/js/app.js.map"
:optimizations :advanced
:pretty-print false
:infer-externs true
:closure-warnings
{:externs-validation :off :non-standard-jsdoc :off}
:externs ["react/externs/react.js"]}}}}
:aot :all
:uberjar-name "dangerp.jar"
:source-paths ["env/prod/clj"]
:resource-paths ["env/prod/resources"]}
:dev [:project/dev :profiles/dev]
:test [:project/dev :project/test :profiles/test]
:project/dev {:jvm-opts ["-Dconf=dev-config.edn"]
:dependencies [[binaryage/devtools "0.9.10"]
[cider/piggieback "0.4.1"]
[doo "0.1.11"]
[expound "0.7.2"]
[figwheel-sidecar "0.5.19"]
[pjstadig/humane-test-output "0.9.0"]
[prone "2019-07-08"]
[ring/ring-devel "1.7.1"]
[ring/ring-mock "0.4.0"]]
:plugins [[com.jakemccrary/lein-test-refresh "0.24.1"]
[lein-doo "0.1.11"]
[lein-figwheel "0.5.19"]]
:cljsbuild{:builds
{:app
{:source-paths ["src/cljs" "src/cljc" "env/dev/cljs"]
:figwheel {:on-jsload "dangerp.core/mount-components"}
:compiler
{:main "dangerp.app"
:asset-path "/js/out"
:output-to "target/cljsbuild/public/js/app.js"
:output-dir "target/cljsbuild/public/js/out"
:source-map true
:optimizations :none
:pretty-print true}}}}
:doo {:build "test"}
:source-paths ["env/dev/clj"]
:resource-paths ["env/dev/resources"]
:repl-options {:init-ns user}
:injections [(require 'pjstadig.humane-test-output)
(pjstadig.humane-test-output/activate!)]}
:project/test {:jvm-opts ["-Dconf=test-config.edn"]
:resource-paths ["env/test/resources"]
:cljsbuild
{:builds
{:test
{:source-paths ["src/cljc" "src/cljs" "test/cljs"]
:compiler
{:output-to "target/test.js"
:main "dangerp.doo-runner"
:optimizations :whitespace
:pretty-print true}}}}
}
:profiles/dev {}
:profiles/test {}})
i add [lein-nvd "1.2.0"]
as a dev plugin and then run:
lein nvd check
from this i get:
+-------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| dependency | status |
+-------------------------------------------------+----------------------------------------------------------------------------------------------------------+
| bcprov-jdk15on-1.58.jar | CVE-2018-1000613, CVE-2018-1000180, CVE-2017-13098 |
| jackson-databind-2.9.8.jar | CVE-2019-12086, CVE-2019-12384, CVE-2019-12814 |
| jetty-util-9.4.12.v20180830.jar | CVE-2019-10247, CVE-2019-10241 |
| prone-2019-07-08.jar: prone-lib.js | including untrusted objects as React children can result in an XSS security vulnerability |
| protobuf-java-3.0.2.jar | CVE-2015-5237 |
| react-16.3.2-0.jar | CVE-2018-6341 |
| react-dom-16.3.2-0.jar | CVE-2018-6341 |
| react-dom-server-16.3.2-0.jar | CVE-2018-6341 |
| reitit-swagger-ui-0.3.9.jar | CVE-2016-5682 |
| ring-swagger-ui-2.2.10.jar: handlebars-4.0.5.js | A prototype pollution vulnerability in handlebars is exploitable if an attacker can control the template |
| ring-swagger-ui-2.2.10.jar: jquery-1.8.0.min.js | CVE-2019-11358, CVE-2012-6708, CVE-2015-9251 |
+-------------------------------------------------+----------------------------------------------------------------------------------------------------------+
18 vulnerabilities detected. Severity: HIGH
now i think security is really important, and i do try to stay informed, but right now this level of detail is just much more than i can handle…
so i guess i just wanted to post this in the hope that somebody has already ran into the same problem, and is willing to share some insight