` npm audit --fix` fails

[SchoolGuy]

What happened?

Due to https://github.com/advisories/GHSA-pxg6-pf52-xh8x currently Jitsi cannot be installed from source.

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
No fix available
node_modules/cookie
  express  >=3.0.0-alpha1
  Depends on vulnerable versions of cookie
  node_modules/express
    webpack-dev-server  *
    Depends on vulnerable versions of express
    node_modules/webpack-dev-server

3 low severity vulnerabilities

Platform

• [ ] Chrome (or Chromium based)
• [ ] Firefox
• [ ] Safari
• [ ] Other desktop browser
• [ ] Android browser
• [ ] iOS browser
• [ ] Electron app
• [ ] Android mobile app
• [ ] iOS mobile app
• [ ] Custom app using a mobile SDK

Browser / app / sdk version

2.0.9753

Relevant log output

No response

Reproducibility

• [ ] The problem is reproducible on meet.jit.si

More details?

When webpack-dev-server has updated to a version of express that is not vulnerable anymore, the fix is as simple as increasing the version in package.json.

Express already has a PR that addresses that. As such this is already in motion: https://github.com/expressjs/express/pull/6017

[MMDH05]

Have the same issue. I want to try upgrading my dependencies but I might break something

[SchoolGuy]

@MMDH05 The jitsi team can do nothing until webpack-dev-server released a new version. As such we just need to stay patient. The issue is just a tracker.