create-nuxt-app
create-nuxt-app copied to clipboard
nuxt
Default app creation with vulnerabilities
Version
create-nuxt-app:
Steps to reproduce
- https://nuxtjs.org/docs/get-started/installation
- Create a new app
- Run npm install
What is Expected?
No vulnerabilities
What is actually happening?
Agree this is a pain in the neck. For example when creating a new NUXT app we get the following deprecated libraries... Al that is needed is somework around the dependcy mapping as most of the new versions should provide some backwards compatibility (maybe??)
Warning: name can no longer contain capital letters
npm WARN deprecated [email protected]: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a s
lowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated @types/[email protected]: This is a stub types definition. anymatch provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/[email protected]: This is a stub types definition. browserslist provides its own type definitions, so you do not need this installed.
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
I manually updated some of the packages in one of our projects (https://github.com/teemops/tui) and it still runs OK.
And nobody on the NUXT team seems to be bothered with this. can we rely on them to build production-ready applications?!
Update on 2022-05-03:
create-nuxt-app v4.0.0
✨ Generating Nuxt.js project in test-nuxt-app
? Project name: test-nuxt-app
? Programming language: JavaScript
? Package manager: Npm
? UI framework: None
? Nuxt.js modules: (Press <space> to select, <a> to toggle all, <i> to invert se
lection)
? Linting tools: (Press <space> to select, <a> to toggle all, <i> to invert sele
ction)
? Testing framework: None
? Rendering mode: Single Page App
? Deployment target: Server (Node.js hosting)
? Development tools: (Press <space> to select, <a> to toggle all, <i> to invert
selection)
? What is your GitHub username? ecerulm
? Version control system: None
🎉 Successfully created project test-nuxt-app
To get started:
cd test-nuxt-app
npm run dev
The project generated will have 15 vulnerabilities (7 moderate, 8 high):
cd test-nuxt-app
npm audit
# npm audit report
glob-parent <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
@nuxt/webpack *
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of webpack
node_modules/@nuxt/webpack
@nuxt/builder >=2.14.0
Depends on vulnerable versions of @nuxt/webpack
node_modules/@nuxt/builder
nuxt 2.14.0 - 2.15.8
Depends on vulnerable versions of @nuxt/webpack
node_modules/nuxt
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
15 vulnerabilities (7 moderate, 8 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
It's worth noting that this is not really introduced by create-nuxt-app itself, creating a nuxt project manually also brings all these vulnerabilities
node --version
v16.15.0
npm --version
8.8.0
cd ~/tmp
mkdir my-nuxt-app
cd my-nuxt-app
npm init
npm install --save nuxt # will install [email protected]
npm audit
# 15 vulnerabilities (7 moderate, 8 high)
The nuxt project itself says in https://github.com/nuxt/nuxt.js/issues/9284 that those vulnerabilities won't be fixed in 2.x because fixing them will imply breaking changes.
Quoting from the other issue
This doesn't always mean Nuxt is vulnerable since most of them are applicable when untrusted user input is involved while these sub-dependencies in Nuxt are used in the build step and during development only.
For example npm audit reports glob-parent: <5.1.2 as vulnerability which https://github.com/nuxt/nuxt.js/issues/9284 lists as "safe to ignore":
2020-28469 glob-parent<5.1.2 Fixed Is only vulnerable to DoS attack when in an untrusted development environment
So it seems that nuxt 2.x will never get rid of those vulnerabilities because the packages can't be updated without breaking functionality. But apparently those vulnerabilities are in packages used in development/build time and do not represent vulnerabilities in the final nuxt apps.
https://overreacted.io/npm-audit-broken-by-design/ explain in more detail the npm audit situation for tools like create-react-app and create-nuxt-app and why those npm audit are or can be misleading.