resolve vulnerabilities in dependencies

[plastikfan]

In particular, gulp and gulp-eslint seem to still be dependent upon vulnerabilities.

Try these approaches:

• delete package-lock.json, then re-install
• take a note of all dependencies, then remove them all from package.json. Remove package-lock.json then run npm install \. This will enable npm to determine the latest dependencies and hopefully pisk up the latested and hopefully fully fixed versions of all dependencies.

[plastikfan]

Using active-forks, I was able to find the most active up to date fork for gulp-eslint: gulp-eslint-new

[plastikfan]

Here is the vulnerability profile:

• gulp-mocha (3 mod)
• gulp-eslint (3 mod)
• gulp (7 high)

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install gulp-eslint@4.0.2, which is a breaking change
node_modules/gulp-eslint/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/gulp-eslint/node_modules/strip-ansi
  node_modules/table/node_modules/strip-ansi
  node_modules/wide-align/node_modules/strip-ansi
    eslint  4.5.0 - 7.15.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of table
    node_modules/gulp-eslint/node_modules/eslint
      gulp-eslint  2.0.0-rc-1 - 2.0.0-rc-3 || >=5.0.0
      Depends on vulnerable versions of eslint
      node_modules/gulp-eslint
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/table/node_modules/string-width
    node_modules/wide-align/node_modules/string-width
      table  4.0.2 - 5.4.6
      Depends on vulnerable versions of string-width
      node_modules/table

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp@3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/glob-watcher/node_modules/chokidar
    glob-watcher  >=3.0.0
    Depends on vulnerable versions of chokidar
    node_modules/glob-watcher
  glob-stream  5.3.0 - 6.1.0
  Depends on vulnerable versions of glob-parent
  node_modules/glob-stream
    vinyl-fs  >=2.4.2
    Depends on vulnerable versions of glob-stream
    node_modules/vinyl-fs
      gulp  >=4.0.0
      Depends on vulnerable versions of vinyl-fs
      node_modules/gulp
        gulp-mocha  >=7.0.0
        Depends on vulnerable versions of gulp
        node_modules/gulp-mocha

13 vulnerabilities (6 moderate, 7 high)

[plastikfan]

gulp example: gulp-sass-bootstrap-boilerplate

[plastikfan]

It maybe that npm audit is reporting problems that pught not to be, see this: npm audit broken by design

Also, I've installed npm-check-updates globally to help with updating dependencies to their latest version.

[plastikfan]

Just added an audit task that only checks for production vulnerabilities. This is a non issue.