Open nursoda opened 3 years ago
braces 3.x requires Node.js 8, but this @nicolo-ribaudo/chokidar-2
package only exists to provide legacy support on Node.js 6.
I understand. However, it is a dependency of babel (latest), and that alone leads to deprecated warnings, right?
Yes. However, Babel only uses this package when you use old Node.js versions (on newer versions, it uses chokidar@3
). It's always installed (because it's not possible to specify "install this dependency but only if using Node.js version X"), but you can safely ignore the warnings because in Node.js >= 10 the vulnerable code never runs.
If you are using Yarn, you can even prevent it from installing this dependency (since you won't need it while running Babel anyway) by addingust needs docs now
"resolutions": {
"@nicolo-ribaudo/chokidar-2": "./noop"
}
to your package.json
I'm on Arch and I only use current programs, including node and npm. I set all dependencies in my package.json to "latest"
:
I'm trying to help with a small Nextcloud app, but I'm not a dev. I think I don't use yarn. I understand that in my case this is irrelevant for production since it's a dev requirement only, and even if it were, current babel should use chokidar@3 only.
This is what I see:
$ rm -r node_modules package-lock.json
$ npm install
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
$ npm audit
found 0 vulnerabilities
Please close the bug if you think that's irrelevant or inevitable.
@nicolo-ribaudo there's also a GitHub security issue due to set-value, https://github.com/advisories/GHSA-4jqc-8m5r-9rpr:
C:\Users\xmr\Desktop\bootstrap>npm ls set-value
bootstrap@5.1.1 C:\Users\xmr\Desktop\bootstrap
`-- @babel/cli@7.15.4
`-- @nicolo-ribaudo/chokidar-2@2.1.8-no-fsevents.2
`-- braces@2.3.2
`-- snapdragon@0.8.2
`-- base@0.11.2
`-- cache-base@1.0.1
+-- set-value@2.0.1
`-- union-value@1.0.1
`-- set-value@2.0.1 deduped
Is there any way this could be upgraded?
EDIT:
Hmm, NVM, I think the Github Security advisory is wrong. I see set-value v2.0.1 has this patch https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad
Yeah, I noticed that the CVE marks 2.0.1 as secure but GH still warns about it.
Anyway, even if GH was correct, in this case you can safely dismiss the warning since the vulnerable code is not actually used.
Because braces 2.x results in an old snapdragon, resulting in an old source-map-resolve resulting in a deprecated urix and resolve-url.