Reputation: 30156
preact-cli has high severity vulnerabilities and npm audit fix runs in circles (3.0.5 <-> 2.2.1)
I'm setting up a preact project with preact-cli:
npx --version # 7.4.0
npx preact-cli create typescript frontend
This tells me:
...
added 1947 packages, and audited 1948 packages in 31s
129 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
✔ Done!
3 high security vulnerabilities after just running the default setup!?
That doesn't sound very reassuring.
npm audit fix
...
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
Ok, so apparently npm fix wants to downgrade preact-cli. Let's go then:
npm audit fix --force
...
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/preact-cli/node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/preact-cli/node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/preact-cli/node_modules/webpack-dev-server/node_modules/yargs
node_modules/preact-cli/node_modules/yargs
preact-cli 1.0.0 - 3.0.0-next.3
Depends on vulnerable versions of extract-text-webpack-plugin
Depends on vulnerable versions of url-loader
Depends on vulnerable versions of yargs
node_modules/preact-cli
webpack 2.1.0-beta.8 - 4.0.0-alpha.0
Depends on vulnerable versions of yargs
node_modules/preact-cli/node_modules/webpack
extract-text-webpack-plugin 2.0.0-beta.0 - 3.0.2
Depends on vulnerable versions of webpack
node_modules/preact-cli/node_modules/extract-text-webpack-plugin
webpack-dev-server 2.0.0-beta - 3.10.3
Depends on vulnerable versions of webpack
Depends on vulnerable versions of yargs
node_modules/preact-cli/node_modules/webpack-dev-server
17 vulnerabilities (7 low, 8 moderate, 2 high)
Ah yes, downgrading to 2.2.1 introduces new vulnerabilities. They can be solved by undoing the downgrade and going back up to 3.0.5.
This is a circle, npm audit fix --force just switches back and forth between the 3.0.5 and 2.2.1 versions of preact-cli.
Some context: This seems to be a known issue.
Upvotes: 1
Views: 605
Answers (1)
Reputation: 2966
Late here (already closed on the CLI repo) but for context, 2.2.1 is a few years old now, and the dependency was a build time one. There's no risk for build time dependencies, especially this one, as it just existed to report changes in your built bundle size.
Always look at what npm audit is actually complaining about. If it's something that's build-time only, you can ignore it.
Upvotes: 0
Related Questions
- up to date, audited 1 package in 513ms found 0 vulnerabilities
- How to fix npm vulnerabilities manually?
- Fixing npm vulnerabilities
- How do I manually `npm audit fix` a single security issue?
- npm audit fix --force never able to avoid vulnerabilities
- How to resolve npm audit vulnerabilities? Angular fresh project
- How to fix manual npm audit packages that require manual review
- Running suggested command doesn't fix NPM Vulnerability
- How to fix these vulnerabilities? (npm audit fix fails to fix these vulnerabilities)
- npm audit fix not fixing low vulnerability