pwa-builder
Update package from cpx to cpx2 as cpx is not maintained
Tell us about your feature idea
Just started with PWABuilder and ran the command
npm i -g @pwabuilder/cli
and got the output
> npm i -g @pwabuilder/cli
npm WARN deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
added 297 packages in 18s
17 packages are looking for funding
run `npm fund` for details
> npm audit
# npm audit report
braces <=3.0.2
Severity: high
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/braces
node_modules/readdirp/node_modules/braces
micromatch <=4.0.7
Depends on vulnerable versions of braces
Depends on vulnerable versions of braces
node_modules/micromatch
node_modules/readdirp/node_modules/micromatch
anymatch 1.2.0 - 2.0.0
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.3.0 - 2.1.8
Depends on vulnerable versions of anymatch
node_modules/chokidar
cpx >=1.3.0
Depends on vulnerable versions of chokidar
node_modules/cpx
readdirp 2.2.0 - 2.2.1
Depends on vulnerable versions of micromatch
node_modules/readdirp
6 vulnerabilities (4 moderate, 2 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
As far as I can see the package cpx is used which is causing this warning to show up. This is due to cpx package not being maintained for the last 9 years. Good thing is that cpx is only used for prepublishOnly script:
"prepublishOnly": "tsc && cpx ".\README.md" ".\dist\README.md"",
This can be mitigated by using "cpx2". This is a fork and a drop in replacement for "cpx". Since this is only used during prepublish as far as I can tell, should I create a PR to upgrade the package?
Do you have an implementation or a solution in mind?
Just changing the package from cpx to cpx2 should be fine.
Have you considered any alternatives?
No response
This issue has been marked as "needs attention 👋" since it has not been triaged for 7 days. Please triage the issue .
![microsoft-github-policy-service[bot] avatar](https://avatars.githubusercontent.com/in/95686?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue has been marked as "needs attention 👋" since it has not been triaged for 7 days. Please triage the issue .
This issue has been marked as "needs attention 👋" since it has not been triaged for 7 days. Please triage the issue .
