Closed plastikfan closed 2 years ago
Using active-forks, I was able to find the most active up to date fork for gulp-eslint: gulp-eslint-new
Here is the vulnerability profile:
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install gulp-eslint@4.0.2, which is a breaking change
node_modules/gulp-eslint/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/gulp-eslint/node_modules/strip-ansi
node_modules/table/node_modules/strip-ansi
node_modules/wide-align/node_modules/strip-ansi
eslint 4.5.0 - 7.15.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of table
node_modules/gulp-eslint/node_modules/eslint
gulp-eslint 2.0.0-rc-1 - 2.0.0-rc-3 || >=5.0.0
Depends on vulnerable versions of eslint
node_modules/gulp-eslint
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/table/node_modules/string-width
node_modules/wide-align/node_modules/string-width
table 4.0.2 - 5.4.6
Depends on vulnerable versions of string-width
node_modules/table
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp@3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
gulp >=4.0.0
Depends on vulnerable versions of vinyl-fs
node_modules/gulp
gulp-mocha >=7.0.0
Depends on vulnerable versions of gulp
node_modules/gulp-mocha
13 vulnerabilities (6 moderate, 7 high)
gulp example: gulp-sass-bootstrap-boilerplate
It maybe that npm audit is reporting problems that pught not to be, see this: npm audit broken by design
Also, I've installed npm-check-updates globally to help with updating dependencies to their latest version.
Just added an audit task that only checks for production vulnerabilities. This is a non issue.
In particular, gulp and gulp-eslint seem to still be dependent upon vulnerabilities.
Try these approaches: