nx-plus icon indicating copy to clipboard operation
nx-plus copied to clipboard

Published 20 hours ago verified publisher icon ZachJW34

high severity vulnerabilities

Open kikawet opened this issue 2 years ago • 0 comments

Current Behavior

When installing a fresh @nx-plus/vue dependencie npm audit reveals 7 high severity vulnerabilities (error output in Steps to Reproduce)

Further report from npm audit:

$ npm audit 
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @nx-plus/[email protected], which is a breaking change
node_modules/@nx-plus/vue/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/@nx-plus/vue/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/@nx-plus/vue/node_modules/webpack
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/@nx-plus/vue/node_modules/copy-webpack-plugin
    @nx-plus/vue  >=0.5.0
    Depends on vulnerable versions of copy-webpack-plugin
    node_modules/@nx-plus/vue

7 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Steps to Reproduce

Run the following command and you should get this output

$ npm install @nx-plus/vue --save-dev 
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated   
npm WARN deprecated @hapi/[email protected]: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/[email protected]: This version has been deprecated and is no longer supported 
or maintained
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated @hapi/[email protected]: Moved to 'npm install @sideway/address'
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/[email protected]: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/[email protected]: Switch to 'npm install joi'

added 1349 packages, and audited 1350 packages in 3m

88 packages are looking for funding
  run `npm fund` for details

7 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

This issue may not be prioritized if details are not provided to help us reproduce the issue.

Failure Logs

Environment

Plugin name and version: "@nx-plus/vue": "^14.1.0"

$ nx report 
npm WARN config global `--global`, `--local` are deprecated. Use `--location=global` instead.

 >  NX   Report complete - copy this into the issue template

   Node : 16.15.1
   OS   : win32 x64
   npm  : 8.12.1

   nx : 14.4.0
   @nrwl/angular : Not Found
   @nrwl/cypress : 14.4.0
   @nrwl/detox : Not Found
   @nrwl/devkit : 14.4.0
   @nrwl/eslint-plugin-nx : 14.4.0
   @nrwl/express : 14.4.0
   @nrwl/jest : 14.4.0
   @nrwl/js : 14.4.0
   @nrwl/linter : 14.4.0
   @nrwl/nest : 14.4.0
   @nrwl/next : Not Found
   @nrwl/node : 14.4.0
   @nrwl/nx-cloud : Not Found
   @nrwl/nx-plugin : Not Found
   @nrwl/react : Not Found
   @nrwl/react-native : Not Found
   @nrwl/schematics : Not Found
   @nrwl/storybook : Not Found
   @nrwl/web : Not Found
   @nrwl/workspace : 14.4.0
   typescript : 4.7.4
   ---------------------------------------
   Community plugins:
         @nx-plus/vue: 14.1.0

kikawet avatar Jul 05 '22 18:07 kikawet