search

ButterCMS / angular-starter-buttercms

Drop-in proof-of-concept Angular app, fully integrated with your ButterCMS account
https://angular-starter-buttercms.vercel.app
5 stars 3 forks source link

old packages + severe vulnerabilities with npm install #1

Closed ViolanteCodes closed 2 years ago

ViolanteCodes commented 2 years ago

Running npm install on a fresh install (using node 16.14.0) reveals a number of old/potentially deprecated dependencies as shown by warnings, including some libraries which are no longer supported:

maria@maria-Galago-Pro:~/Programming/butter/starters/angular-starter-buttercms$ npm install
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated tslint@6.1.3: TSLint has been deprecated in favor of ESLint. Please see https://github.com/palantir/tslint/issues/4534 for more information.

added 1162 packages, and audited 1163 packages in 20s

109 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (2 moderate, 5 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Here is the npm audit results:

maria@maria-Galago-Pro:~/Programming/butter/starters/angular-starter-buttercms$ npm audit
# npm audit report

@angular/core  <11.0.5
Severity: moderate
Cross site scripting in Angular - https://github.com/advisories/GHSA-c75v-2vq8-878f
fix available via `npm audit fix --force`
Will install codelyzer@0.0.28, which is a breaking change
node_modules/codelyzer/node_modules/@angular/core
  codelyzer  >=1.0.0-beta.0
  Depends on vulnerable versions of @angular/core
  node_modules/codelyzer

glob-parent  <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
No fix available
node_modules/cpy/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/cpy/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/cpy/node_modules/globby
      cpy  7.0.0 - 8.1.2
      Depends on vulnerable versions of globby
      node_modules/cpy
        @ngx-env/builder  *
        Depends on vulnerable versions of cpy
        node_modules/@ngx-env/builder

7 vulnerabilities (2 moderate, 5 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

My guessed is that angular core needs to be upgraded, and that said upgrade would fix a number of these issues, but I'm also not an angular developer. Ultimately, though, we need there to be a minimum of warnings/vulnerabilities with installation. Although Angular is being sunset, we are really aiming for a frictionless integration/implementation.

ViolanteCodes commented 2 years ago

@pikorkar I spoke with @prokopsimek and he said it might be easiest for us to communicate directly - are you okay with me tagging issues via github issues, or is there another method of communication you'd prefer (e.g. putting issues on a project board, etc.?)

pikorkar commented 2 years ago

@ViolanteCodes It's ok to communicate via gitub issues.

ViolanteCodes commented 2 years ago

@pikorkar great. I'll add issues here to the project as they're identified. For right now, is it possible to update the project's dependencies and packages to eliminate warnings, etc? We didn't want to proceed further with testing until this part, as in the past, some of the starter projects have broken after updating, which caused us to need to restart the process of testing from the beginning again to make sure nothing was missed.

pikorkar commented 2 years ago

I updated Angular core to the newest version.

ViolanteCodes commented 2 years ago

@pikorkar I appreciate that! Unfortunately, I'm still seeing a ton of deprecation warnings on a fresh install, as well as a warning about five severe vulnerabilities. Is it possible to update dependencies and fix these? We're really excited to dive into testing this one :)