elhacker-net / web-nuevo

Frontend de elhacker.net!
https://www.elhacker.net
MIT License
2 stars 1 forks source link

Dependencias desactualizadas #29

Closed MinusFour closed 2 years ago

MinusFour commented 2 years ago

El repositorio apenas tiene un año y las dependencias están desactualizadas. Hay un número de problemas a resolver:

Stylelint

Creo que es necesario mover a v14. Hay unos paquetes marcados con ReDOS y otras cosas más.

Webpack

Creo que también habría que moverlo a v5. El problema es que también se necesita actualizar los loaders/plugins de webpack. Entre ellos:

css-loader style-loader sass-loader

El verdadero problema es webpack-dev-server que en su versión actual no corre en node v17, a menos que agreguemos una opción de ejecución a node.

Otras dependencias

Los demas paquetes creo que se pueden actualizar con npm update. De igual manera habrá que probar las nuevas dependencias paulatinamente.

Las advertencias que genera NPM (hay más pero son irrelevantes).

npm WARN deprecated ini@1.3.5: Please update to ini >=1.3.6 to avoid a prototype pollution issue
npm WARN deprecated @stylelint/postcss-markdown@0.36.1: Use the original unforked package instead: postcss-markdown
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

added 1322 packages, and audited 1323 packages in 8s

103 packages are looking for funding
  run `npm fund` for details

40 vulnerabilities (22 moderate, 18 high)

Auditoria de NPM

ansi-html * Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via npm audit fix node_modules/ansi-html webpack-dev-server 2.0.0-beta - 4.1.0 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-server

ansi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via npm audit fix --force Will install webpack-cli@4.9.1, which is a breaking change node_modules/cli-truncate/node_modules/ansi-regex node_modules/cliui/node_modules/ansi-regex node_modules/eslint/node_modules/ansi-regex node_modules/inquirer/node_modules/ansi-regex node_modules/log-update/node_modules/ansi-regex node_modules/stylelint/node_modules/ansi-regex node_modules/table/node_modules/ansi-regex node_modules/webpack-cli/node_modules/ansi-regex node_modules/wrap-ansi/node_modules/ansi-regex node_modules/yargs/node_modules/ansi-regex strip-ansi 4.0.0 - 5.2.0 Depends on vulnerable versions of ansi-regex node_modules/cliui/node_modules/strip-ansi node_modules/table/node_modules/strip-ansi node_modules/webpack-cli/node_modules/strip-ansi node_modules/wrap-ansi/node_modules/strip-ansi node_modules/yargs/node_modules/strip-ansi cliui 4.0.0 - 5.0.0 Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of wrap-ansi node_modules/cliui node_modules/webpack-cli/node_modules/cliui yargs 10.1.0 - 15.0.0 Depends on vulnerable versions of cliui Depends on vulnerable versions of string-width node_modules/webpack-cli/node_modules/yargs node_modules/yargs webpack-cli <=0.0.8-development || 2.0.11 - 3.3.12 Depends on vulnerable versions of yargs node_modules/webpack-cli webpack-dev-server 2.0.0-beta - 4.1.0 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-server string-width 2.1.0 - 4.1.0 Depends on vulnerable versions of strip-ansi node_modules/cliui/node_modules/string-width node_modules/table/node_modules/string-width node_modules/webpack-cli/node_modules/string-width node_modules/wrap-ansi/node_modules/string-width node_modules/yargs/node_modules/string-width table 4.0.2 - 5.4.6 Depends on vulnerable versions of string-width node_modules/table eslint 4.18.2 - 7.15.0 Depends on vulnerable versions of table node_modules/eslint stylelint 9.6.0 - 13.6.1 Depends on vulnerable versions of table node_modules/stylelint wrap-ansi 3.0.0 - 6.1.0 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/webpack-cli/node_modules/wrap-ansi node_modules/wrap-ansi

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via npm audit fix node_modules/browserslist

dns-packet <1.3.2 Severity: high Potential memory exposure in dns-packet - https://github.com/advisories/GHSA-3wcq-x3mq-6r9p fix available via npm audit fix node_modules/dns-packet

elliptic <6.5.4 Severity: moderate Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w fix available via npm audit fix node_modules/elliptic

glob-parent <5.1.2 Severity: high Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix node_modules/eslint/node_modules/glob-parent node_modules/fast-glob/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar watchpack 0.2.2 - 1.6.1 Depends on vulnerable versions of chokidar node_modules/watchpack webpack-dev-server 2.0.0-beta - 4.1.0 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-server

hosted-git-info <2.8.9 Severity: moderate Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj fix available via npm audit fix node_modules/hosted-git-info

ini <1.3.6 Severity: high Prototype Pollution - https://github.com/advisories/GHSA-qqgx-2p2h-9c37 fix available via npm audit fix node_modules/ini

lodash <4.17.21 Severity: high Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm fix available via npm audit fix node_modules/inquirer/node_modules/lodash node_modules/lodash

node-forge <0.10.0 Severity: high Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj fix available via npm audit fix node_modules/node-forge selfsigned 1.1.1 - 1.10.7 Depends on vulnerable versions of node-forge node_modules/selfsigned

nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select renderkid 1.0.0 - 2.0.5 Depends on vulnerable versions of css-select node_modules/renderkid

path-parse <1.0.7 Severity: moderate Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9 fix available via npm audit fix node_modules/path-parse

postcss 7.0.0 - 7.0.35 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3 fix available via npm audit fix node_modules/autoprefixer/node_modules/postcss node_modules/postcss node_modules/stylelint-order/node_modules/postcss node_modules/stylelint/node_modules/postcss

semver-regex <3.1.3 Severity: moderate Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx fix available via npm audit fix node_modules/semver-regex find-versions <=3.2.0 Depends on vulnerable versions of semver-regex node_modules/find-versions husky 4.2.0 - 4.3.6 Depends on vulnerable versions of find-versions node_modules/husky

ssri 5.2.2 - 6.0.1 Severity: high Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq fix available via npm audit fix node_modules/ssri

trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via npm audit fix node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse remark 5.0.0 - 12.0.1 Depends on vulnerable versions of remark-parse node_modules/remark @stylelint/postcss-markdown 0.36.1 Depends on vulnerable versions of remark node_modules/@stylelint/postcss-markdown

trim-newlines <3.0.1 Severity: high Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via npm audit fix node_modules/stylelint/node_modules/trim-newlines

url-parse <=1.5.1 Severity: high Open redirect in url-parse - https://github.com/advisories/GHSA-hh27-ffr2-f2jc Path traversal in url-parse - https://github.com/advisories/GHSA-9m6j-fcg5-2442 fix available via npm audit fix node_modules/url-parse

ws 6.0.0 - 6.2.1 Severity: moderate ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693 fix available via npm audit fix node_modules/ws

y18n 4.0.0 Severity: high Prototype Pollution - https://github.com/advisories/GHSA-c4w7-xm78-47vh fix available via npm audit fix node_modules/webpack-cli/node_modules/y18n node_modules/y18n

MinusFour commented 2 years ago

El #30 corrigió la mayoría de las dependencias desactualizadas, pero sería buena idea ver si podemos actualizar los otros paquetes (antes de la siguiente ronda de advisories de NPM).

Todavía hay una advertencia acerca de querystring@0.2.0

MinusFour commented 2 years ago

El repo debería estar actualizado ahora.