Azure
Multiple dependencies out of date causing issues in downstream packages
Multiple packages referenced by the projects package.json are old or very old.
This causes not only potential security issues for projects referencing this package it also causes a lot of warnings when installing building and/or bundling this package or packages dependent on this.
For example node-fetch is still referenced with version 2.7.0, which references the ancient version 5.0.0 of whatwg-url (current 14). Not only are most of these packages not using ESM, yet, they are also using deprecated syntax such as "./" or "./*" or "//" exports, deprecated and warned in DEP0155 and DEP0166.
Some packages like devcert can be replaced with native Node Crypto implementations (I'm not sure if devcert is even used)
Here is the current status of dependencies:
@azure/static-web-apps-cli - 17 major, 11 minor, 7 patch
name - last updated - installed version - available version - package last updated
dependencies
chalk ~3.2y ^4.1.2 → ^5.3.0 ~1.3y
commander ~1.7y ^9.5.0 → ^12.1.0 ~5mo
concurrently ~1.9y ^7.6.0 → ^9.0.1 ~25d
cookie ~2.5y ^0.5.0 → ^0.7.1 ~3d
get-port ~4.7y ^5.1.1 → ^7.1.0 ~7mo
internal-ip ~3.9y ^6.2.0 → ^8.0.0 ~1.3y
open ~1.6y ^8.4.2 → ^10.1.0 ~7mo
ora ~3.3y ^5.4.1 → ^8.1.0 ~1mo
wait-on ~11mo ^7.2.0 → ^8.0.1 ~26d
@azure/identity ~4mo ^4.3.0 → ^4.4.1 ~2mo
@azure/msal-common ~3mo ^14.13.0 → ^14.15.0 ~17d
finalhandler ~2.5y ^1.2.0 → ^1.3.1 ~25d
serve-static ~2.5y ^1.15.0 → ^1.16.2 ~25d
update-notifier ~11mo ^7.0.0 → ^7.3.1 ~27d
yaml ~2.5y ^2.0.1 → ^2.5.1 ~1mo
adm-zip ~4mo ^0.5.14 → ^0.5.16 ~1mo
devcert ~3.2y ^1.2.0 → ^1.2.2 ~2.3y
rimraf ~5mo ^5.0.7 → ^5.0.10 ~2mo (6.0.1 available)
devDependencies
@semantic-release/commit-analyzer ~11mo ^11.1.0 → ^13.0.0 ~4mo
@semantic-release/release-notes-generator ~11mo ^12.1.0 → ^14.0.1 ~4mo
@types/update-notifier ~3.2y ^5.1.0 → ^6.0.8 ~11mo
cypress ~2.5y ^9.6.0 → ^13.15.0 ~11d
husky ~3.7y ^4.3.8 → ^9.1.6 ~25d
lint-staged ~2.4y ^12.4.1 → ^15.2.10 ~1mo
semantic-release ~10mo ^22.0.12 → ^24.1.2 ~9d
supertest ~9mo ^6.3.4 → ^7.0.0 ~6mo
@commitlint/cli ~6mo ^19.3.0 → ^19.5.0 ~25d
@commitlint/config-angular ~6mo ^19.3.0 → ^19.5.0 ~25d
memfs ~4mo ^4.9.3 → ^4.12.0 ~18d
typescript ~3mo ^5.5.3 → ^5.6.2 ~27d
vitest ~3mo ^2.0.2 → ^2.1.2 ~4d
@types/cli-progress ~11mo ^3.11.5 → ^3.11.6 ~3mo
@types/http-proxy ~11mo ^1.17.14 → ^1.17.15 ~2mo
@types/node ~4mo ^18.19.39 → ^18.19.54 ~9d (22.7.4 available)
start-server-and-test ~4mo ^2.0.4 → ^2.0.8 ~21d
I've submitted PRs to help address the outdated dependencies:
- PR #961: Enables Dependabot for automated dependency updates going forward
- PR #962: Immediate security fixes reducing vulnerabilities from 21 to 9
These PRs partially address this issue. Once Dependabot is enabled, it will create automated PRs for the remaining outdated dependencies.
