found 1 moderate severity vulnerability? (npm install > audit)

[wibrt]

npm install

After running
$ npm install -G create-elm-app
i get the output:

..
+ create-elm-app@4.2.8
added 1299 packages from 773 contributors and audited 15279 packages in 80.205s
..
found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit manually does not work

npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json

Versions

1. node -v: v10.15.2

2. npm -v: 4.14.3

3. npm ls create-elm-app -g (if you haven’t ejected):
   /usr/local/lib
   └── (empty)

Then, specify:

1. Operating system: Debian GNU/Linux 10 (buster)

Steps to Reproduce

npm install -G create-elm-app

[halfzebra]

Hi @wibrt!

Thanks for raising awareness! 👍
The vulnerability is originated in https://github.com/webpack-contrib/uglifyjs-webpack-plugin, which is currently providing a better minimization rate for JS produced by Elm.

We can definitely fix this by switching to a well-maintained https://github.com/webpack-contrib/terser-webpack-plugin, which would slightly increase the asset size.

Are you interested in working on a fix for this?

[wibrt]

unfortunately no dev background with (create-)elm(-app) nor time at the moment

[halfzebra]

No worries!

I will see how this can be solved. 🙌