search

johnsoncodehk / vue-tsc

vue-tsc --noEmit && vite build
https://www.npmjs.com/package/vue-tsc
MIT License
241 stars 6 forks source link

`vue-tsc` v0.1.0 has vulnerabilities #28

Closed cawa-93 closed 3 years ago

cawa-93 commented 3 years ago 
# npm audit report

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install vue-tsc@0.0.26, which is a breaking change
node_modules/yargs-parser
  meow  5.0.0 - 6.0.1
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    @starptech/prettyhtml  *
    Depends on vulnerable versions of meow
    node_modules/@starptech/prettyhtml
      vscode-vue-languageservice  *
      Depends on vulnerable versions of @starptech/prettyhtml
      node_modules/vscode-vue-languageservice
        vue-tsc  >=0.1.0
        Depends on vulnerable versions of vscode-vue-languageservice
        node_modules/vue-tsc
johnsoncodehk commented 3 years ago

0.0.26 has same dependencies, but 0.0.26 use built-in node_modules so npm does not report...

I will split dependencies by Plugin API refactor, but this is not easy to start, see: https://github.com/johnsoncodehk/volar/discussions/168

cawa-93 commented 3 years ago

It seems to me to give up a package @starptech/prettyhtml in favor of an alternative if such exists. This package has not been updated for 2 years and all the tree of dependencies under it is a bit outdated.

johnsoncodehk commented 3 years ago

@cawa-93 I tried Prettier, but... prettyhtml is much better.

I actually want to make a new one, but I will not promise because here already lot of work. :/