Closed MinusFour closed 2 years ago
El #30 corrigió la mayoría de las dependencias desactualizadas, pero sería buena idea ver si podemos actualizar los otros paquetes (antes de la siguiente ronda de advisories de NPM).
Todavía hay una advertencia acerca de querystring@0.2.0
El repo debería estar actualizado ahora.
El repositorio apenas tiene un año y las dependencias están desactualizadas. Hay un número de problemas a resolver:
Stylelint
Creo que es necesario mover a v14. Hay unos paquetes marcados con ReDOS y otras cosas más.
Webpack
Creo que también habría que moverlo a v5. El problema es que también se necesita actualizar los loaders/plugins de webpack. Entre ellos:
css-loader
style-loader
sass-loader
El verdadero problema es
webpack-dev-server
que en su versión actual no corre en node v17, a menos que agreguemos una opción de ejecución a node.Otras dependencias
Los demas paquetes creo que se pueden actualizar con
npm update
. De igual manera habrá que probar las nuevas dependencias paulatinamente.Las advertencias que genera NPM (hay más pero son irrelevantes).
Auditoria de NPM
ansi-html * Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via
npm audit fix
node_modules/ansi-html webpack-dev-server 2.0.0-beta - 4.1.0 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-serveransi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via
npm audit fix --force
Will install webpack-cli@4.9.1, which is a breaking change node_modules/cli-truncate/node_modules/ansi-regex node_modules/cliui/node_modules/ansi-regex node_modules/eslint/node_modules/ansi-regex node_modules/inquirer/node_modules/ansi-regex node_modules/log-update/node_modules/ansi-regex node_modules/stylelint/node_modules/ansi-regex node_modules/table/node_modules/ansi-regex node_modules/webpack-cli/node_modules/ansi-regex node_modules/wrap-ansi/node_modules/ansi-regex node_modules/yargs/node_modules/ansi-regex strip-ansi 4.0.0 - 5.2.0 Depends on vulnerable versions of ansi-regex node_modules/cliui/node_modules/strip-ansi node_modules/table/node_modules/strip-ansi node_modules/webpack-cli/node_modules/strip-ansi node_modules/wrap-ansi/node_modules/strip-ansi node_modules/yargs/node_modules/strip-ansi cliui 4.0.0 - 5.0.0 Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of wrap-ansi node_modules/cliui node_modules/webpack-cli/node_modules/cliui yargs 10.1.0 - 15.0.0 Depends on vulnerable versions of cliui Depends on vulnerable versions of string-width node_modules/webpack-cli/node_modules/yargs node_modules/yargs webpack-cli <=0.0.8-development || 2.0.11 - 3.3.12 Depends on vulnerable versions of yargs node_modules/webpack-cli webpack-dev-server 2.0.0-beta - 4.1.0 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-server string-width 2.1.0 - 4.1.0 Depends on vulnerable versions of strip-ansi node_modules/cliui/node_modules/string-width node_modules/table/node_modules/string-width node_modules/webpack-cli/node_modules/string-width node_modules/wrap-ansi/node_modules/string-width node_modules/yargs/node_modules/string-width table 4.0.2 - 5.4.6 Depends on vulnerable versions of string-width node_modules/table eslint 4.18.2 - 7.15.0 Depends on vulnerable versions of table node_modules/eslint stylelint 9.6.0 - 13.6.1 Depends on vulnerable versions of table node_modules/stylelint wrap-ansi 3.0.0 - 6.1.0 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/webpack-cli/node_modules/wrap-ansi node_modules/wrap-ansibrowserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via
npm audit fix
node_modules/browserslistdns-packet <1.3.2 Severity: high Potential memory exposure in dns-packet - https://github.com/advisories/GHSA-3wcq-x3mq-6r9p fix available via
npm audit fix
node_modules/dns-packetelliptic <6.5.4 Severity: moderate Use of a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w fix available via
npm audit fix
node_modules/ellipticglob-parent <5.1.2 Severity: high Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via
npm audit fix
node_modules/eslint/node_modules/glob-parent node_modules/fast-glob/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar watchpack 0.2.2 - 1.6.1 Depends on vulnerable versions of chokidar node_modules/watchpack webpack-dev-server 2.0.0-beta - 4.1.0 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of yargs node_modules/webpack-dev-serverhosted-git-info <2.8.9 Severity: moderate Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj fix available via
npm audit fix
node_modules/hosted-git-infoini <1.3.6 Severity: high Prototype Pollution - https://github.com/advisories/GHSA-qqgx-2p2h-9c37 fix available via
npm audit fix
node_modules/inilodash <4.17.21 Severity: high Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm fix available via
npm audit fix
node_modules/inquirer/node_modules/lodash node_modules/lodashnode-forge <0.10.0 Severity: high Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj fix available via
npm audit fix
node_modules/node-forge selfsigned 1.1.1 - 1.10.7 Depends on vulnerable versions of node-forge node_modules/selfsignednth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via
npm audit fix
node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select renderkid 1.0.0 - 2.0.5 Depends on vulnerable versions of css-select node_modules/renderkidpath-parse <1.0.7 Severity: moderate Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9 fix available via
npm audit fix
node_modules/path-parsepostcss 7.0.0 - 7.0.35 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3 fix available via
npm audit fix
node_modules/autoprefixer/node_modules/postcss node_modules/postcss node_modules/stylelint-order/node_modules/postcss node_modules/stylelint/node_modules/postcsssemver-regex <3.1.3 Severity: moderate Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx fix available via
npm audit fix
node_modules/semver-regex find-versions <=3.2.0 Depends on vulnerable versions of semver-regex node_modules/find-versions husky 4.2.0 - 4.3.6 Depends on vulnerable versions of find-versions node_modules/huskyssri 5.2.2 - 6.0.1 Severity: high Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq fix available via
npm audit fix
node_modules/ssritrim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via
npm audit fix
node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse remark 5.0.0 - 12.0.1 Depends on vulnerable versions of remark-parse node_modules/remark @stylelint/postcss-markdown 0.36.1 Depends on vulnerable versions of remark node_modules/@stylelint/postcss-markdowntrim-newlines <3.0.1 Severity: high Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via
npm audit fix
node_modules/stylelint/node_modules/trim-newlinesurl-parse <=1.5.1 Severity: high Open redirect in url-parse - https://github.com/advisories/GHSA-hh27-ffr2-f2jc Path traversal in url-parse - https://github.com/advisories/GHSA-9m6j-fcg5-2442 fix available via
npm audit fix
node_modules/url-parsews 6.0.0 - 6.2.1 Severity: moderate ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693 fix available via
npm audit fix
node_modules/wsy18n 4.0.0 Severity: high Prototype Pollution - https://github.com/advisories/GHSA-c4w7-xm78-47vh fix available via
npm audit fix
node_modules/webpack-cli/node_modules/y18n node_modules/y18n