yo icon indicating copy to clipboard operation
yo copied to clipboard

Published 20 hours ago verified publisher icon yeoman

Yo should use esm

Open Logicer16 opened this issue 1 year ago • 2 comments

Type of issue

Bug Report

My environment

  • OS version/details: macOS Monterey 12.6.7
  • Node version: v20.2.0 (run node --version in your terminal)
  • npm version: 9.6.6 (run npm --version in your terminal)
  • Version of yo : 4.3.1 (run yo --version in your terminal)

Expected behavior

yo has no vulnerable dependancies.

Current behavior

The following are vulnerable package versions from yo and its dependancies, yeoman/doctor and yeoman/insight:

meow: < v6.0.0
bin-version-check: < v5.0.0
got: < v12.0.0
npm-keyword: < v7.0.0
update-notifier: < v6.0.0
latest-version: < v6.0.0

However these packages are now all pure esm. To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.

This has additionally caused problems with insight as os-name >= v5.0.0 is also pure esm, which resulted in insight being removed.

This has been an ongoing issue for the project. Related issues I've found include (17 total):

  • #786
  • #780
  • #773
  • #766
  • #753
  • #751
  • #749
  • #716
  • #679
  • #683
  • https://github.com/yeoman/insight/issues/83
  • https://github.com/yeoman/insight/pull/82
  • https://github.com/yeoman/insight/issues/81
  • https://github.com/yeoman/insight/pull/80
  • https://github.com/yeoman/insight/issues/78
  • https://github.com/yeoman/insight/issues/52
  • https://github.com/yeoman/doctor/pull/58

Each of these require this being implemented to be properly fixed.

Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.

Steps to reproduce the behavior

npm audit

Command line output

Output 
# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
node_modules/latest-version/node_modules/got
node_modules/npm-keyword/node_modules/got
node_modules/yeoman-doctor/node_modules/got
  npm-keyword  <=6.1.0
  Depends on vulnerable versions of got
  node_modules/npm-keyword
    yo  >=1.2.1
    Depends on vulnerable versions of got
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-keyword
    Depends on vulnerable versions of update-notifier
    Depends on vulnerable versions of yeoman-doctor
    node_modules/yo
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/latest-version/node_modules/package-json
  node_modules/yeoman-doctor/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
    node_modules/yeoman-doctor/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
      yeoman-doctor  >=1.4.0
      Depends on vulnerable versions of bin-version-check
      Depends on vulnerable versions of latest-version
      node_modules/yeoman-doctor

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cacheable-request/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

semver-regex  <=3.1.3
Severity: high
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/yargs-parser

16 vulnerabilities (5 moderate, 11 high)

Logicer16 avatar May 27 '23 12:05 Logicer16