search

nestjs / nest

A progressive Node.js framework for building efficient, scalable, and enterprise-grade server-side applications with TypeScript/JavaScript 🚀
https://nestjs.com
MIT License
68.2k stars 7.67k forks source link

npm warning about vulnerabilities and dependency errors #11962

Closed Brilhante29 closed 1 year ago

Brilhante29 commented 1 year ago

Is there an existing issue for this?

Current behavior

Error when creating the project with nest new PROJECT_NAME

nest new myProject cd myProject npm i

some vulnerabilities

Minimum reproduction code

https://github.com/Brilhante29/Nestjs-errors

Steps to reproduce

  1. nest new myProject
  2. cd myProject
  3. npm i

Expected behavior

up to date, audited 665 packages in 9s

95 packages are looking for funding run npm fund for details

25 moderate severity vulnerabilities

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Run npm audit for details. ╭─guilhermebrilhante@MacBook-Pro-de-Guilherme ~/projects/api ╰─$ npm audit fix

up to date, audited 665 packages in 6s

95 packages are looking for funding run npm fund for details

npm audit report

semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via npm audit fix --force Will install ts-jest@27.0.3, which is a breaking change node_modules/@babel/core/node_modules/semver node_modules/@babel/helper-compilation-targets/node_modules/semver node_modules/istanbul-lib-instrument/node_modules/semver node_modules/make-dir/node_modules/semver @babel/core Depends on vulnerable versions of @babel/helper-compilation-targets Depends on vulnerable versions of semver node_modules/@babel/core @babel/helper-compilation-targets Depends on vulnerable versions of @babel/core Depends on vulnerable versions of semver node_modules/@babel/helper-compilation-targets @jest/transform Depends on vulnerable versions of @babel/core Depends on vulnerable versions of babel-plugin-istanbul node_modules/@jest/transform @jest/core Depends on vulnerable versions of @jest/reporters Depends on vulnerable versions of @jest/transform Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-resolve-dependencies Depends on vulnerable versions of jest-runner Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-snapshot node_modules/@jest/core jest >=24.0.0-alpha.0 Depends on vulnerable versions of @jest/core Depends on vulnerable versions of jest-cli node_modules/jest ts-jest >=25.10.0-alpha.1 Depends on vulnerable versions of babel-jest Depends on vulnerable versions of jest node_modules/ts-jest jest-cli >=24.0.0-alpha.0 Depends on vulnerable versions of @jest/core Depends on vulnerable versions of jest-config node_modules/jest-cli babel-jest >=18.5.0-alpha.7da3df39 Depends on vulnerable versions of @babel/core Depends on vulnerable versions of @jest/transform Depends on vulnerable versions of babel-plugin-istanbul Depends on vulnerable versions of babel-preset-jest node_modules/babel-jest jest-runner >=24.2.0-alpha.0 Depends on vulnerable versions of @jest/transform Depends on vulnerable versions of jest-runtime node_modules/jest-runner jest-config >=24.0.0-alpha.0 Depends on vulnerable versions of @babel/core Depends on vulnerable versions of babel-jest Depends on vulnerable versions of jest-circus Depends on vulnerable versions of jest-runner node_modules/jest-config jest-runtime >=24.2.0-alpha.0 Depends on vulnerable versions of @jest/globals Depends on vulnerable versions of @jest/transform Depends on vulnerable versions of jest-snapshot node_modules/jest-runtime jest-circus >=25.2.4 Depends on vulnerable versions of @jest/expect Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-snapshot node_modules/jest-circus babel-preset-current-node-syntax Depends on vulnerable versions of @babel/core node_modules/babel-preset-current-node-syntax babel-preset-jest >=24.2.0-alpha.0 Depends on vulnerable versions of @babel/core Depends on vulnerable versions of babel-preset-current-node-syntax node_modules/babel-preset-jest istanbul-lib-instrument >=1.2.0 Depends on vulnerable versions of @babel/core Depends on vulnerable versions of semver node_modules/istanbul-lib-instrument @jest/reporters Depends on vulnerable versions of @jest/transform Depends on vulnerable versions of istanbul-lib-instrument Depends on vulnerable versions of istanbul-lib-report Depends on vulnerable versions of istanbul-reports node_modules/@jest/reporters babel-plugin-istanbul >=3.1.0-candidate.0 Depends on vulnerable versions of istanbul-lib-instrument node_modules/babel-plugin-istanbul jest-snapshot >=27.0.0-next.0 Depends on vulnerable versions of @babel/core Depends on vulnerable versions of @jest/transform Depends on vulnerable versions of babel-preset-current-node-syntax node_modules/jest-snapshot @jest/expect * Depends on vulnerable versions of jest-snapshot node_modules/@jest/expect @jest/globals >=28.0.0-alpha.0 Depends on vulnerable versions of @jest/expect node_modules/@jest/globals jest-resolve-dependencies >=27.0.0-next.0 Depends on vulnerable versions of jest-snapshot node_modules/jest-resolve-dependencies make-dir 2.0.0 - 3.1.0 Depends on vulnerable versions of semver node_modules/make-dir istanbul-lib-report >=2.0.5 Depends on vulnerable versions of make-dir node_modules/istanbul-lib-report istanbul-reports >=3.0.0-alpha.0 Depends on vulnerable versions of istanbul-lib-report node_modules/istanbul-reports

25 moderate severity vulnerabilities

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

Package

Other package

jest, ts-jest, mailer

NestJS version

10.1.1

Packages versions

{
  "name": "api",
  "version": "0.0.1",
  "description": "",
  "author": "",
  "private": true,
  "license": "UNLICENSED",
  "scripts": {
    "build": "nest build",
    "format": "prettier --write \"src/**/*.ts\" \"test/**/*.ts\"",
    "start": "nest start",
    "start:dev": "nest start --watch",
    "start:debug": "nest start --debug --watch",
    "start:prod": "node dist/main",
    "lint": "eslint \"{src,apps,libs,test}/**/*.ts\" --fix",
    "test": "jest",
    "test:watch": "jest --watch",
    "test:cov": "jest --coverage",
    "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
    "test:e2e": "jest --config ./test/jest-e2e.json"
  },
  "dependencies": {
    "@nestjs/common": "^10.0.0",
    "@nestjs/core": "^10.0.0",
    "@nestjs/platform-express": "^10.0.0",
    "reflect-metadata": "^0.1.13",
    "rxjs": "^7.8.1"
  },
  "devDependencies": {
    "@nestjs/cli": "^10.0.0",
    "@nestjs/schematics": "^10.0.0",
    "@nestjs/testing": "^10.0.0",
    "@types/express": "^4.17.17",
    "@types/jest": "^29.5.2",
    "@types/node": "^20.3.1",
    "@types/supertest": "^2.0.12",
    "@typescript-eslint/eslint-plugin": "^5.59.11",
    "@typescript-eslint/parser": "^5.59.11",
    "eslint": "^8.42.0",
    "eslint-config-prettier": "^8.8.0",
    "eslint-plugin-prettier": "^4.2.1",
    "jest": "^29.5.0",
    "prettier": "^2.8.8",
    "source-map-support": "^0.5.21",
    "supertest": "^6.3.3",
    "ts-jest": "^29.1.0",
    "ts-loader": "^9.4.3",
    "ts-node": "^10.9.1",
    "tsconfig-paths": "^4.2.0",
    "typescript": "^5.1.3"
  },
  "jest": {
    "moduleFileExtensions": [
      "js",
      "json",
      "ts"
    ],
    "rootDir": "src",
    "testRegex": ".*\\.spec\\.ts$",
    "transform": {
      "^.+\\.(t|j)s$": "ts-jest"
    },
    "collectCoverageFrom": [
      "**/*.(t|j)s"
    ],
    "coverageDirectory": "../coverage",
    "testEnvironment": "node"
  }
}

Node.js version

18.16.0

In which operating systems have you tested?

Other

No response

kamilmysliwiec commented 1 year ago

Please, use our Discord channel (support) for such questions. We are using GitHub to track bugs, feature requests, and potential improvements.