npm audit shows solidarity containing 10 vulnerabilities (6 moderate, 2 high, 2 critical)

[FrederickEngelhardt]

Describe the bug Installing solidarity in a blank repo reveals the following issues on solidarity `"3.0.4".

Most of these issues seem to be brought in with [email protected]. They look to removed / fixed in higher versions of gluegun. IE 5.1.6 had 7 moderate issues.

• [email protected] seems to work for simple use cases of solidarity. Not sure about all features.
• Fixing/updating gluegun does not fix the 2 high issues json5 issue or lodash.trim dos.

Hoping these issues can be fixed and keep the soldarity cli working without bringing in vulnerabilities.

Stop-gap

Below is an example of the npm overrides (for yarn use resolutions) to fix only the critical and high vulnerabilities.

• This won't help those that require older versions of these packages, but solidarity as a raw cli without plugins seems stable with this.

Package.json

{
  "overrides": {
    "axios": "1.7.2",
    "ejs": ">=3.1.10",
    "json5": ">=2.2.3",
    "lodash": "4.17.21",
    "set-value": ">=4.1.0"
  }
}

To Reproduce Steps to reproduce the behavior:

I swapped to npm ^10.x.x. This can be done on node >=18.20 (10.7.0) or higher versions. The current version I was using was [email protected] with [email protected]. Node version should not matter...but having a higher version of yarn or npm ideally helps debug these dependency vulnerabilities.

Script to make a empty repo and install things

mkdir solidarity-test
cd solidarity-test
npm init -y
npm i -D [email protected]
npm audit > npm-audit.log

Audit output

Here is the audit output for solidarity installed in isolation at 3.0.4

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - <https://github.com/advisories/GHSA-wf5p-g6vw-rhxx>
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
  apisauce  <=3.0.0
  Depends on vulnerable versions of axios
  node_modules/apisauce
    gluegun  >=0.3.0
    Depends on vulnerable versions of apisauce
    Depends on vulnerable versions of ejs
    Depends on vulnerable versions of lodash.trim
    Depends on vulnerable versions of lodash.trimend
    Depends on vulnerable versions of yargs-parser
    node_modules/solidarity/node_modules/gluegun
      solidarity  >=0.1.0
      Depends on vulnerable versions of gluegun
      Depends on vulnerable versions of json5
      node_modules/solidarity

ejs  <=3.1.9
Severity: critical
ejs template injection vulnerability - <https://github.com/advisories/GHSA-phwq-j96m-2c2q>
ejs lacks certain pollution protection - <https://github.com/advisories/GHSA-ghr5-ch3p-vcr6>
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/solidarity/node_modules/ejs

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - <https://github.com/advisories/GHSA-9c47-m6qq-7p4h>
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/json5

lodash.trim  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - <https://github.com/advisories/GHSA-29mw-wpgm-hmr9>
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lodash.trim

lodash.trimend  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - <https://github.com/advisories/GHSA-29mw-wpgm-hmr9>
fix available via `npm audit fix`
node_modules/lodash.trimend

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - <https://github.com/advisories/GHSA-c2qf-rxjj-qqgw>
fix available via `npm audit fix`
node_modules/semver

yargs-parser  >=16.0.0 <18.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - <https://github.com/advisories/GHSA-p9pc-299p-vxgp>
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/solidarity/node_modules/yargs-parser

10 vulnerabilities (6 moderate, 2 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Expected behavior

Solidarity should not bring in dependencies versions with known vulnerabilities hopefully 0 moderate issues, but no high and critical flagged issues.

Screenshots N/A

Doctor (please complete the following information)

• OS: Mac OS 14.5
• Solidarity Version: 3.0.4

Additional context Add any other context about the problem here.