Compile for win32_x64 ( found 3 high severity vulnerabilities)

[Berdmanfolk]

Hello! I try to compile from source, but to get the error:

C:\node-rfc-2.4.0>npm install

> node-rfc@2.4.0 preinstall C:\node-rfc-2.4.0
> npm install cmake-js prebuild-install prebuild node-addon-api

npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.1 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.1: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ prebuild-install@6.0.0
+ node-addon-api@3.1.0
+ cmake-js@6.1.0
+ prebuild@10.0.1
added 1104 packages from 559 contributors and audited 1105 packages in 41.681s

48 packages are looking for funding
  run `npm fund` for details

found 3 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

> node-rfc@2.4.0 install C:\node-rfc-2.4.0
> prebuild-install --tag-prefix -r napi || cmake-js rebuild

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.1 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.1: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 1105 packages in 50.413s

48 packages are looking for funding
  run `npm fund` for details

found 3 high severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

C:\node-rfc-2.4.0>node -v
v14.15.4

C:\node-rfc-2.4.0>npm audit

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  High            Denial of Service

  Package         https-proxy-agent

  Patched in      >=2.2.0

  Dependency of   typings [dev]

  Path            typings > typings-core > popsicle-proxy-agent >
                  https-proxy-agent

  More info       https://npmjs.com/advisories/593

  High            Machine-In-The-Middle

  Package         https-proxy-agent

  Patched in      >=2.2.3

  Dependency of   typings [dev]

  Path            typings > typings-core > popsicle-proxy-agent >
                  https-proxy-agent

  More info       https://npmjs.com/advisories/1184

  High            Denial of Service

  Package         http-proxy-agent

  Patched in      >=2.1.0

  Dependency of   typings [dev]

  Path            typings > typings-core > popsicle-proxy-agent >
                  http-proxy-agent

  More info       https://npmjs.com/advisories/607

found 3 high severity vulnerabilities in 1113 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

C:\node-rfc-2.4.0>

And can't to find the solution. Can you please explain what is the error?

[bsrdjan]

Thanks @Berdmanfolk for opening this issue. Warnings are about dev dependencies and need to check them in detail. Some need an update probably. The standard installation (without build from source) goes without warnings:

npm i node-rfc

added 3 packages, and audited 3 packages in 35s

found 0 vulnerabilities

but build from source goes with warnings:

git clone https://github.com/SAP/node-rfc
cd node-rfc
npm i
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated popsicle-proxy-agent@3.0.0: Use `agent` option with `popsicle` directly
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated typings@2.1.1: Typings is deprecated in favor of NPM @types -- see README for more information
> node-rfc@2.4.0 preinstall
> npm install cmake-js prebuild-install prebuild node-addon-api

up to date, audited 1103 packages in 3s

48 packages are looking for funding
  run `npm fund` for details

5 high severity vulnerabilities

npm audit 
# npm audit report

http-proxy-agent  <=2.0.0
Severity: high
Denial of Service - https://npmjs.com/advisories/607
fix available via `npm audit fix --force`
Will install typings@0.6.10, which is a breaking change
node_modules/http-proxy-agent
  popsicle-proxy-agent  *
  Depends on vulnerable versions of http-proxy-agent
  node_modules/popsicle-proxy-agent
    typings-core  *
    Depends on vulnerable versions of popsicle-proxy-agent
    node_modules/typings-core
      typings  >=0.7.0
      Depends on vulnerable versions of typings-core
      node_modules/typings

https-proxy-agent  <=2.2.2
Severity: high
Machine-In-The-Middle - https://npmjs.com/advisories/1184
Denial of Service - https://npmjs.com/advisories/593
fix available via `npm audit fix`

[bsrdjan]

The removal of typings dev dependency fixed audit issues. The patch will be shipped in next release.