linaria icon indicating copy to clipboard operation
linaria copied to clipboard
verified publisher icon callstack

npm audit advices downgrade linaria to 0.0.0 version

Open evgenyshipko opened this issue 4 years ago • 0 comments

Environment

  • Linaria version: 2.3.1
  • Bundler (+ version): vite 2.7.6 (uses @linaria/rollup 3.0.0-beta.15)
  • Node.js version: 17.0.1
  • OS: MacOs Monterey 12.1 (21C52)

package.json:

"dependencies": {
    "@callstack/react-theme-provider": "^3.0.7",
    "@casl/ability": "^5.4.3",
    "@casl/react": "^2.3.0",
    "@commitlint/cli": "^15.0.0",
    "@commitlint/config-conventional": "^15.0.0",
    "@dnd-kit/core": "^4.0.3",
    "@linaria/babel-preset": "^3.0.0-beta.15",
    "@linaria/core": "^3.0.0-beta.15",
    "@linaria/react": "^3.0.0-beta.15",
    "@linaria/rollup": "^3.0.0-beta.15",
    "@linaria/shaker": "^3.0.0-beta.15",
    "@sentry/react": "^6.16.1",
    "@sentry/tracing": "^6.16.1",
    "@types/react-router": "^5.1.17",
    "@types/styled-components": "^5.1.18",
    "@vitejs/plugin-react": "^1.1.3",
    "axios": "^0.24.0",
    "date-fns": "^2.27.0",
    "history": "^4.10.1",
    "hls.js": "^1.1.2",
    "inputmask": "^5.0.6",
    "linaria": "^2.3.1",
    "lodash": "^4.17.21",
    "lottie-web": "^5.8.1",
    "mobx": "^6.3.9",
    "mobx-observable-history": "^2.0.3",
    "mobx-react-lite": "^3.2.2",
    "qs": "^6.10.2",
    "react": "^17.0.2",
    "react-datepicker": "^4.5.0",
    "react-device-detect": "^2.1.2",
    "react-dom": "^17.0.2",
    "react-helmet": "^6.1.0",
    "react-hook-form": "^7.22.3",
    "react-router-dom": "^5.2.0",
    "react-select": "^5.2.1",
    "rollup-plugin-visualizer": "^5.5.2",
    "tsconfig-paths": "^3.12.0",
    "uuid": "^8.3.2",
    "vite": "^2.7.6",
    "vite-plugin-svgr": "^0.6.0",
    "vite-tsconfig-paths": "^3.3.17"
  },
  "devDependencies": {
    "@types/lodash": "^4.14.178",
    "@types/node": "^17.0.2",
    "@types/qs": "^6.9.7",
    "@types/react": "^17.0.37",
    "@types/react-dom": "^17.0.11",
    "@types/react-helmet": "^6.1.4",
    "@types/react-router-dom": "^5.3.2",
    "@types/uuid": "^8.3.3",
    "@typescript-eslint/eslint-plugin": "^5.5.0",
    "@typescript-eslint/parser": "^5.5.0",
    "eslint": "^8.3.0",
    "eslint-config-airbnb": "^18.2.1",
    "eslint-config-airbnb-base": "^14.2.1",
    "eslint-config-bdsm": "^0.0.7",
    "eslint-config-prettier": "^8.3.0",
    "eslint-import-resolver-typescript": "^2.5.0",
    "eslint-plugin-import": "^2.25.3",
    "eslint-plugin-jsx-a11y": "^6.5.1",
    "eslint-plugin-prettier": "^4.0.0",
    "eslint-plugin-react": "^7.27.1",
    "eslint-plugin-react-hooks": "^4.3.0",
    "eslint-plugin-sonarjs": "^0.11.0",
    "husky": "^7.0.4",
    "is-ci": "^3.0.1",
    "lint-staged": "^12.1.3",
    "prettier": "^2.5.1",
    "semantic-release": "^19.0.2",
    "typescript": "^4.5.4"
  },

vite.js config:

...
plugins: [
    linaria({
      sourceMap: process.env.NODE_ENV !== "production",
      classNameSlug: (hash: string, title: string) => `${title}-${hash}`,
      exclude: ["node_modules/font-awesome/css/font-awesome.min.css"],
    }),
    tsconfigPaths(),
    svgr(),
    react({
      babel: {
        sourceMaps: true,
        plugins: [
          ["@babel/plugin-proposal-class-properties", { loose: false }],
        ],
        assumptions: {
          setPublicClassFields: false,
        },
      },
    }),
    visualizer(),
  ],
...

Description

npm audit command gives follows:

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/linaria/node_modules/ansi-regex
node_modules/npm/node_modules/cli-table3/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/linaria/node_modules/strip-ansi
  node_modules/npm/node_modules/string-width/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/linaria/node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/linaria/node_modules/yargs
        linaria  0.0.1 - 2.3.1
        Depends on vulnerable versions of postcss
        Depends on vulnerable versions of strip-ansi
        Depends on vulnerable versions of yargs
        node_modules/linaria
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/linaria/node_modules/string-width
    node_modules/npm/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/linaria/node_modules/wrap-ansi

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/linaria/node_modules/postcss
  linaria  0.0.1 - 2.3.1
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of strip-ansi
  Depends on vulnerable versions of yargs
  node_modules/linaria

and npm audit fix --force really downcasts linaria dependency to [email protected].

evgenyshipko avatar Jan 19 '22 14:01 evgenyshipko