Vulnérabilités lors de l'installation du projet avec NPM

[tjarross]

Il y a un certain nombre de paquets dépréciés utilisés dans le projet qui devraient être corrigés pour accroître la stabilité de l'application.

Voici le retour de la commande npm install --legacy-peer-deps:

npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated @babel/plugin-proposal-nullish-coalescing-operator@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead.
npm WARN deprecated @babel/plugin-proposal-class-properties@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm WARN deprecated @babel/plugin-proposal-object-rest-spread@7.20.7: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-spread instead.
npm WARN deprecated @babel/plugin-proposal-optional-chaining@7.21.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead.
npm WARN deprecated glob@7.2.3: Glob versions prior to v9 are no longer supported
npm WARN deprecated glob@8.1.0: Glob versions prior to v9 are no longer supported
npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1562 packages, and audited 1563 packages in 1m

520 packages are looking for funding
  run `npm fund` for details

10 vulnerabilities (5 moderate, 3 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Le retour de la commande npm audit:

# npm audit report

@grpc/grpc-js  1.10.0 - 1.10.8
Severity: moderate
@grpc/grpc-js can allocate memory for incoming messages well above configured limits - https://github.com/advisories/GHSA-7v5v-9h63-cj86
fix available via `npm audit fix`
node_modules/@grpc/grpc-js

@xmldom/xmldom  0.8.0 - 0.8.3
Severity: critical
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix --force`
Will install osmtogeojson@2.2.12, which is a breaking change
node_modules/@xmldom/xmldom
  osmtogeojson  >=3.0.0-beta.0
  Depends on vulnerable versions of @xmldom/xmldom
  node_modules/osmtogeojson

lodash.template  *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix --force`
Will install babel-plugin-webpack-alias@1.5.0, which is a breaking change
node_modules/lodash.template
  babel-plugin-webpack-alias  >=1.6.0
  Depends on vulnerable versions of lodash.template
  node_modules/babel-plugin-webpack-alias

micromatch  <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/micromatch

vue-template-compiler  >=2.0.0
Severity: moderate
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - https://github.com/advisories/GHSA-g3ch-rx76-35fx
No fix available
node_modules/vue-template-compiler
  documentation  >=6.3.0
  Depends on vulnerable versions of vue-template-compiler
  node_modules/documentation
    geovisio  *
    Depends on vulnerable versions of documentation
    node_modules/geovisio

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws

10 vulnerabilities (5 moderate, 3 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

[tjarross]

Et quelques warnings au lancement de npm run dev --legacy-peer-deps:

> cartes@0.4.0 dev
> next dev -p 8080

  ▲ Next.js 15.0.0-rc.0
  - Local:        http://localhost:8080
  - Environments: .env.local, .env.development
  - Experiments (use with caution):
    · reactCompiler

 ✓ Starting...
 ⚠ Invalid next.config.mjs options detected: 
 ⚠     Unrecognized key(s) in object: 'compilerOptions'
 ⚠ See more info here: https://nextjs.org/docs/messages/invalid-next-config
   automatically enabled Fast Refresh for 1 custom loader
Contentlayer config change detected. Updating type definitions and data...
Generated 11 documents in .contentlayer
 ✓ Ready in 3.8s
<w> [webpack.cache.PackFileCacheStrategy/webpack.FileSystemInfo] Parsing of /home/thomas/Workdir/Tests/cartes/node_modules/@contentlayer2/core/dist/generation/generate-dotpkg.js for build dependencies failed at 'import(URL.pathToFileURL(filePathJoin(generatedPkgPath, 'generated', 'index.mjs')).href)'.
<w> Build dependencies behind this expression are ignored and might cause incorrect cache invalidation.

[laem]

Merci ! En effet la commande npm install --legacy-peer-deps venait du fait que j'utilisaais la version RC1 de Next 15. Bonne nouvelle, hier Next est sorti en 15 définitive :)

Déjà, ça va régler quelques pb.

Et en effet, il faudra nettoyer les dépendances, et faire des MAJ. J'aime bien toujours garder ça à jour.