Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

high severity vulnerabilities #265

Open
kikawet opened this issue Jul 5, 2022 · 0 comments
Open

high severity vulnerabilities #265

kikawet opened this issue Jul 5, 2022 · 0 comments
Labels
bug Something isn't working

Comments

@kikawet
Copy link

kikawet commented Jul 5, 2022

Current Behavior

When installing a fresh @nx-plus/vue dependencie npm audit reveals 7 high severity vulnerabilities (error output in Steps to Reproduce)

Further report from npm audit:

$ npm audit 
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @nx-plus/vue@0.4.1, which is a breaking change
node_modules/@nx-plus/vue/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/@nx-plus/vue/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/@nx-plus/vue/node_modules/webpack
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/@nx-plus/vue/node_modules/copy-webpack-plugin
    @nx-plus/vue  >=0.5.0
    Depends on vulnerable versions of copy-webpack-plugin
    node_modules/@nx-plus/vue

7 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Steps to Reproduce

Run the following command and you should get this output

$ npm install @nx-plus/vue --save-dev 
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated   
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported 
or maintained
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'

added 1349 packages, and audited 1350 packages in 3m

88 packages are looking for funding
  run `npm fund` for details

7 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

This issue may not be prioritized if details are not provided to help us reproduce the issue.

Failure Logs

Environment

Plugin name and version: "@nx-plus/vue": "^14.1.0"

$ nx report 
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.

 >  NX   Report complete - copy this into the issue template

   Node : 16.15.1
   OS   : win32 x64
   npm  : 8.12.1

   nx : 14.4.0
   @nrwl/angular : Not Found
   @nrwl/cypress : 14.4.0
   @nrwl/detox : Not Found
   @nrwl/devkit : 14.4.0
   @nrwl/eslint-plugin-nx : 14.4.0
   @nrwl/express : 14.4.0
   @nrwl/jest : 14.4.0
   @nrwl/js : 14.4.0
   @nrwl/linter : 14.4.0
   @nrwl/nest : 14.4.0
   @nrwl/next : Not Found
   @nrwl/node : 14.4.0
   @nrwl/nx-cloud : Not Found
   @nrwl/nx-plugin : Not Found
   @nrwl/react : Not Found
   @nrwl/react-native : Not Found
   @nrwl/schematics : Not Found
   @nrwl/storybook : Not Found
   @nrwl/web : Not Found
   @nrwl/workspace : 14.4.0
   typescript : 4.7.4
   ---------------------------------------
   Community plugins:
         @nx-plus/vue: 14.1.0
@kikawet kikawet added the bug Something isn't working label Jul 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kikawet