create-elm-app icon indicating copy to clipboard operation
create-elm-app copied to clipboard

Published 20 hours ago β€’ verified publisher icon halfzebra

found 1 moderate severity vulnerability? (npm install > audit)

Open wibrt opened this issue 5 years ago β€’ 3 comments
trafficstars

npm install

After running $ npm install -G create-elm-app i get the output:

..
+ [email protected]
added 1299 packages from 773 contributors and audited 15279 packages in 80.205s
..
found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit manually does not work

npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json

Versions

  1. node -v: v10.15.2

  2. npm -v: 4.14.3

  3. npm ls create-elm-app -g (if you haven’t ejected): /usr/local/lib └── (empty)

Then, specify:

  1. Operating system: Debian GNU/Linux 10 (buster)

Steps to Reproduce

npm install -G create-elm-app

wibrt avatar Apr 23 '20 08:04 wibrt

Hi @wibrt!

Thanks for raising awareness! πŸ‘ The vulnerability is originated in https://github.com/webpack-contrib/uglifyjs-webpack-plugin, which is currently providing a better minimization rate for JS produced by Elm.

We can definitely fix this by switching to a well-maintained https://github.com/webpack-contrib/terser-webpack-plugin, which would slightly increase the asset size.

Are you interested in working on a fix for this?

halfzebra avatar May 10 '20 21:05 halfzebra

unfortunately no dev background with (create-)elm(-app) nor time at the moment

wibrt avatar May 11 '20 12:05 wibrt

No worries!

I will see how this can be solved. πŸ™Œ

halfzebra avatar May 11 '20 19:05 halfzebra