Default app creation with vulnerabilities

[eramosr16]

Version

create-nuxt-app:

Steps to reproduce

1. https://nuxtjs.org/docs/get-started/installation
2. Create a new app
3. Run npm install

What is Expected?

No vulnerabilities

What is actually happening?

[kiwifellows]

Agree this is a pain in the neck. For example when creating a new NUXT app we get the following deprecated libraries... Al that is needed is somework around the dependcy mapping as most of the new versions should provide some backwards compatibility (maybe??)

Warning: name can no longer contain capital letters
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a s 
lowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated @types/anymatch@3.0.0: This is a stub types definition. anymatch provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/browserslist@4.15.0: This is a stub types definition. browserslist provides its own type definitions, so you do not need this installed.
npm WARN deprecated querystring@0.2.1: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.

[kiwifellows]

I manually updated some of the packages in one of our projects (https://github.com/teemops/tui) and it still runs OK.

[devmanzur]

And nobody on the NUXT team seems to be bothered with this. can we rely on them to build production-ready applications?!

[ecerulm]

Update on 2022-05-03:

create-nuxt-app v4.0.0
✨  Generating Nuxt.js project in test-nuxt-app
? Project name: test-nuxt-app
? Programming language: JavaScript
? Package manager: Npm
? UI framework: None
? Nuxt.js modules: (Press <space> to select, <a> to toggle all, <i> to invert se
lection)
? Linting tools: (Press <space> to select, <a> to toggle all, <i> to invert sele
ction)
? Testing framework: None
? Rendering mode: Single Page App
? Deployment target: Server (Node.js hosting)
? Development tools: (Press <space> to select, <a> to toggle all, <i> to invert
selection)
? What is your GitHub username? ecerulm
? Version control system: None

🎉  Successfully created project test-nuxt-app

  To get started:

    cd test-nuxt-app
    npm run dev

The project generated will have 15 vulnerabilities (7 moderate, 8 high):

cd test-nuxt-app
npm audit
# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack@5.72.0, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
          @nuxt/webpack  *
          Depends on vulnerable versions of cssnano
          Depends on vulnerable versions of webpack
          node_modules/@nuxt/webpack
            @nuxt/builder  >=2.14.0
            Depends on vulnerable versions of @nuxt/webpack
            node_modules/@nuxt/builder
            nuxt  2.14.0 - 2.15.8
            Depends on vulnerable versions of @nuxt/webpack
            node_modules/nuxt

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install nuxt@2.13.3, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

15 vulnerabilities (7 moderate, 8 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[ecerulm]

It's worth noting that this is not really introduced by create-nuxt-app itself, creating a nuxt project manually also brings all these vulnerabilities

node --version
v16.15.0
npm --version
8.8.0
cd ~/tmp
mkdir my-nuxt-app
cd my-nuxt-app
npm init
npm install --save nuxt # will install nuxt@2.15.8
npm audit 
# 15 vulnerabilities (7 moderate, 8 high) 

[ecerulm]

The nuxt project itself says in https://github.com/nuxt/nuxt.js/issues/9284 that those vulnerabilities won't be fixed in 2.x because fixing them will imply breaking changes.

Quoting from the other issue

This doesn't always mean Nuxt is vulnerable since most of them are applicable when untrusted user input is involved while these sub-dependencies in Nuxt are used in the build step and during development only.

For example npm audit reports glob-parent: <5.1.2 as vulnerability which https://github.com/nuxt/nuxt.js/issues/9284 lists as "safe to ignore":

2020-28469 glob-parent<5.1.2 Fixed Is only vulnerable to DoS attack when in an untrusted development environment

So it seems that nuxt 2.x will never get rid of those vulnerabilities because the packages can't be updated without breaking functionality. But apparently those vulnerabilities are in packages used in development/build time and do not represent vulnerabilities in the final nuxt apps.

https://overreacted.io/npm-audit-broken-by-design/ explain in more detail the npm audit situation for tools like create-react-app and create-nuxt-app and why those npm audit are or can be misleading.