Tools have multiple warnings with severity 'moderate' via npm audit

[iMicknl]

Part of Get a Power BI visual certified is to pass npm audit - Must not return any warnings with high or moderate level.

However, the latest version of powerbi-visuals-tools (3.3.0) still has the a warning of the moderate level and running audit fix --force will install powerbi-visuals-tools@1.7.2, which is a huge downgrade.

To be honest, having no moderate warnings is quite a hard requirement and thus makes it hard to pass certification.

# npm audit report

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install powerbi-visuals-tools@1.7.2, which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/abort-controller-es5/node_modules/watchpack
      node_modules/event-target-shim-es5/node_modules/watchpack
      node_modules/markdown-it-attrs-es5/node_modules/watchpack
      node_modules/p-defer-es5/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/abort-controller-es5/node_modules/webpack
        node_modules/event-target-shim-es5/node_modules/webpack
        node_modules/markdown-it-attrs-es5/node_modules/webpack
        node_modules/p-defer-es5/node_modules/webpack
          abort-controller-es5  1.1.1-master.2da7735 - 1.2.2-master.9a5c446
          Depends on vulnerable versions of webpack
          node_modules/abort-controller-es5
            botframework-directlinespeech-sdk  >=4.10.0
            Depends on vulnerable versions of abort-controller-es5
            node_modules/botframework-webchat/node_modules/botframework-directlinespeech-sdk
          event-target-shim-es5  1.1.1-master.9062597 - 1.2.3-master.97aaea3
          Depends on vulnerable versions of webpack
          node_modules/event-target-shim-es5
            botframework-webchat-api  *
            Depends on vulnerable versions of event-target-shim-es5
            node_modules/botframework-webchat/node_modules/botframework-webchat-api
              botframework-webchat  >=0.15.1-master.aeca50e
              Depends on vulnerable versions of botframework-directlinejs
              Depends on vulnerable versions of botframework-webchat-api
              Depends on vulnerable versions of markdown-it-attrs-es5
              Depends on vulnerable versions of sanitize-html
              node_modules/botframework-webchat
              botframework-webchat-component  >=4.10.0
              Depends on vulnerable versions of botframework-webchat-api
              Depends on vulnerable versions of event-target-shim-es5
              node_modules/botframework-webchat/node_modules/botframework-webchat-component
            web-speech-cognitive-services  7.0.1 - 7.1.0
            Depends on vulnerable versions of event-target-shim-es5
            node_modules/web-speech-cognitive-services
          markdown-it-attrs-es5  1.1.1-master.120605c - 1.2.1
          Depends on vulnerable versions of webpack
          node_modules/markdown-it-attrs-es5
          p-defer-es5  1.1.1-master.0ba54ef - 1.2.3-master.f6c5d69
          Depends on vulnerable versions of webpack
          node_modules/p-defer-es5
            botframework-webchat-core  >=4.10.0
            Depends on vulnerable versions of p-defer-es5
            node_modules/botframework-webchat-core
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      powerbi-visuals-tools  2.0.1 || >=3.0.1
      Depends on vulnerable versions of webpack-dev-server
      node_modules/powerbi-visuals-tools

[nishantjainuk]

I am having the same issue. Would be good to get a resolution soon

[JipAccobat]

@iMicknl and @nishantjainuk are powerbi-visuals-tools installed globally or as a dependency of your visual?

[iMicknl]

@JipAccobat correct. It has been added to the devDependencies, see https://github.com/iMicknl/powerbi-botframework-chat-transcripts for my actual source code.

For me it doesn't make sense to install them globally, since this will require extra work for new devs, complicate the CI/CD and doesn't support version pinning easily.

[iMicknl]

By the way, powerbi-visual-tools should run npm audit --production instead of a broad npm audit. It doesn't make sense to check devDependencies for vulnerabilities, since they are not executed in a Power BI visual.

[nishantjainuk]

@JipAccobat I have it as dependency as well

[Demonkratiy]

Hello folks! Sorry for a long delay. We just released tools version 4.0.2. There should be no any issues with npm audit at this moment ) Please try it.

[iMicknl]

Thanks @Demonkratiy, I will have a look.

Did you consider implementing my remark? (https://github.com/microsoft/PowerBI-visuals-tools/issues/383#issuecomment-918541617). To use npm audit --production?

[Demonkratiy]

@iMicknl, thank you for your advise! But I think there is no need to use npm audit --production in this case, as actually running npm install will warn about vulnerabilities anyway in such approach. We refactored some code, changed libs or methods there it was needed to exclude any vulnerability issues related to powerbi-visuals-tools, no matter if they are real or not ;)