search

adobe / aem-site-template-builder

MIT License
23 stars 7 forks source link

Dependencies cause `npm audit` to fail #25

Open jzeltman opened 2 years ago

jzeltman commented 2 years ago

Expected Behaviour

Up to date dependencies don't cause audit issues which can break CI/CD builds.

Actual Behaviour

npm audit fails:

engine.io  <4.0.0
Severity: high
Resource exhaustion in engine.io  - https://github.com/advisories/GHSA-j4f2-536g-r55m
No fix available
node_modules/engine.io
  socket.io  1.0.0-pre - 2.4.1
  Depends on vulnerable versions of engine.io
  node_modules/socket.io
    browser-sync  >=1.0.0
    Depends on vulnerable versions of socket.io
    node_modules/browser-sync
      @adobe/aem-site-theme-builder  *
      Depends on vulnerable versions of browser-sync
      Depends on vulnerable versions of shelljs
      node_modules/@adobe/aem-site-theme-builder

shelljs  <0.8.5
Severity: high
Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-4rq4-32rv-6wp6
No fix available
node_modules/shelljs
  @adobe/aem-site-theme-builder  *
  Depends on vulnerable versions of browser-sync
  Depends on vulnerable versions of shelljs
  node_modules/@adobe/aem-site-theme-builder

Reproduce Scenario (including but not limited to)

Run npm audit from theme folder

Steps to Reproduce

Platform and Version

Sample Code that illustrates the problem

Logs taken while reproducing problem