Open aaronzshey opened 1 month ago
Following #3, here's the new npm audit output:
npm audit
# npm audit report
babel-traverse *
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
No fix available
node_modules/babel-traverse
babel-core 5.8.20 - 7.0.0-beta.3
Depends on vulnerable versions of babel-helpers
Depends on vulnerable versions of babel-register
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
Depends on vulnerable versions of json5
node_modules/babel-core
babel-cli *
Depends on vulnerable versions of babel-core
Depends on vulnerable versions of babel-register
Depends on vulnerable versions of chokidar
node_modules/babel-cli
babel-register *
Depends on vulnerable versions of babel-core
node_modules/babel-register
babel-template *
Depends on vulnerable versions of babel-traverse
node_modules/babel-template
babel-helpers *
Depends on vulnerable versions of babel-template
node_modules/babel-helpers
braces <=3.0.2
Severity: high
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
No fix available
node_modules/chokidar/node_modules/braces
node_modules/readdirp/node_modules/braces
micromatch 0.2.0 - 3.1.10
Depends on vulnerable versions of braces
Depends on vulnerable versions of braces
node_modules/chokidar/node_modules/micromatch
node_modules/readdirp/node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/chokidar/node_modules/anymatch
chokidar 1.3.0 - 1.7.0
Depends on vulnerable versions of anymatch
node_modules/chokidar
readdirp 2.2.0 - 2.2.1
Depends on vulnerable versions of micromatch
node_modules/readdirp
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/babel-core/node_modules/json5
12 vulnerabilities (2 low, 6 high, 4 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
It seems like all the issues stemmed from Babel. In #3 I selected "SWC" as the new tool, so after deleting babel dependencies they should be gone.
New npm install
reveals these warns:
npm warn deprecated rimraf@2.6.3: Rimraf versions prior to v4 are no longer supported
npm warn deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm warn deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm warn deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm warn deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
> npm outdated
Package Current Wanted Latest Location Depended by
@testing-library/jest-dom 5.17.0 5.17.0 6.4.8 node_modules/@testing-library/jest-dom react-hexgrid
@testing-library/react 13.3.0 13.3.0 16.0.0 node_modules/@testing-library/react react-hexgrid
@types/jest 28.1.8 28.1.8 29.5.12 node_modules/@types/jest react-hexgrid
fsevents 1.2.13 1.2.13 2.3.3 node_modules/fsevents react-hexgrid
jest 28.1.3 28.1.3 29.7.0 node_modules/jest react-hexgrid
jest-environment-jsdom 28.1.3 28.1.3 29.7.0 node_modules/jest-environment-jsdom react-hexgrid
react-use 17.4.0 17.4.0 17.5.1 node_modules/react-use react-hexgrid
ts-jest 28.0.8 28.0.8 29.2.3 node_modules/ts-jest react-hexgrid
typescript 4.9.5 4.9.5 5.5.4 node_modules/typescript react-hexgrid
following #6:
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated rimraf@2.6.3: Rimraf versions prior to v4 are no longer supported
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm warn deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm warn deprecated domexception@4.0.0: Use your platform's native DOMException instead
rimraf, glob, and inflight come from:
jest 29 - jest 30 will bump the various uses of rimraf and glob react-docgen-typescript-plugin > preset-react-webpack > react-webpack-5 : uses an outdated version of flat-cache, which depends on the offending version of inflight. I've submitted a pull request to the project.
abab and domexception are no longer used in jsdom 24. However, upcoming jest-environment-jsdom 30 depends on jsdom 22, which still uses abab and domexception. I'll open an issue - I'll make a pull request later.
Here's a list of npm warns:
Time to get cracking!