Impossible to update braces to ^3.0.3

quasiDigi commented 3 months ago

Describe the bug

On my local machine

After running npm audit and npm audit fix I get the warning:

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
quasi@quasiBlip astro-ananda % npm audit
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/braces

1 high severity vulnerability

To address all issues, run:
  npm audit fix

When checking the braces package in node_modules/netlify-cli/node_modules/, I see it's version's 3.0.2

On GitHub

Also trying to solve the issue through Dependabot throws an error:

 Dependabot encountered an unknown error

Steps to reproduce

In the netlify UI, I've created an Astro site with the astro-netlify-platform-starter
Installed the netlify-cli on my local machine by running npm install netlify-cli --save-dev
Linked my local project to the Astro site on Netlify, to an empty repo on Github, and linked the Netlify site to the repo.
Updated my local installation through npm update
I get the above mentioned error.

Configuration

[[redirects]] from = "/es/*" to = "/es/404.html" status = 404

[[redirects]] from = "/*" to = "/404.html" status = 404

Environment

Had to use npx node_modules/netlify-cli/node_modules/envinfo --system --binaries --npmPackages netlify-cli --npmGlobalPackages netlify-cli

  System:
    OS: macOS 14.5
    CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
    Memory: 809.07 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 21.5.0 - /usr/local/bin/node
    Yarn: 1.22.22 - /usr/local/bin/yarn
    npm: 10.2.4 - /usr/local/bin/npm
    pnpm: 9.0.6 - /usr/local/bin/pnpm
  npmPackages:
    netlify-cli: ^17.29.0 => 17.30.0

Here's the content of the package.json:

{
  "name": "astro-netlify-platform-starter",
  "type": "module",
  "version": "0.1.0",
  "scripts": {
    "dev": "astro dev",
    "start": "astro dev",
    "build": "astro build",
    "preview": "astro preview",
    "astro": "astro"
  },
  "dependencies": {
    "@astrojs/netlify": "^5.2.0",
    "@astrojs/partytown": "^2.1.1",
    "@astrojs/react": "^3.3.0",
    "@astrojs/sitemap": "^3.1.6",
    "@astrojs/tailwind": "^5.1.0",
    "@fontsource-variable/montserrat": "^5.0.19",
    "@fontsource/inter": "^5.0.18",
    "@netlify/blobs": "^7.3.0",
    "@netlify/functions": "^2.8.0",
    "@types/react": "^18.2.79",
    "@types/react-dom": "^18.2.25",
    "aos": "^2.3.4",
    "astro": "^4.6.2",
    "astro-favicons": "^2.0.2",
    "blobshape": "^1.0.0",
    "marked": "^13.0.0",
    "marked-shiki": "^1.1.0",
    "netlify-cli": "^17.29.0",
    "node-html-parser": "^6.1.13",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "sass": "^1.77.6",
    "swiper": "^11.1.4",
    "tailwindcss": "^3.4.3",
    "unique-names-generator": "^4.7.1"
  },
  "devDependencies": {
    "@types/blobshape": "^1.0.3",
    "@types/node": "^20.12.7",
    "daisyui": "^4.10.2"
  }
}

G-Rath commented 3 months ago

cc @sarahetter

G-Rath commented 3 months ago

fwiw this has been around for about a month - I was hoping the new tooling mentioned in #6508 would have meant this got addressed in a timely fashion, but it has not 😞

DavidWaters-AP commented 2 months ago

I have the same issue.

I tried removing the CLI including manually removing Netlify CLI from modules and package.json to reinstall and the problem just comes back.

G-Rath commented 2 months ago

@DavidWaters-AP it's because Netlify use npm-shrinkwrap.json so it locks every dependency in its entire tree, which npm does not allow you to ignore so we're reliant on Netlify to keep their dependencies up to date

sarahetter commented 2 months ago

Closing as resolved for braces (has been updated) and as duplicate topic for #6731

netlify / cli