Lot of vulnerabilies when follow quick start

[Devryc]

Hi, I'm trying following the tutorial on Standard Javascript project. When I set all the files i got this error when use npm i

110 packages are looking for funding
  run `npm fund` for details

36 vulnerabilities (1 low, 17 moderate, 13 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

And if I do 'npm fund':

hello_owl@0.1.0
├─┬ https://opencollective.com/babel
│ │ └── @babel/core@7.24.5
│ └── https://opencollective.com/browserslist
│     └── browserslist@4.23.0, caniuse-lite@1.0.30001618, update-browserslist-db@1.0.16
├─┬ https://opencollective.com/webpack
│ │ └── webpack@4.47.0, schema-utils@2.7.1
│ ├── https://github.com/sponsors/feross
│ │   └── base64-js@1.5.1, ieee754@1.2.1, safe-buffer@5.2.1, arch@2.2.0
│ ├── https://github.com/sponsors/ljharb
│ │   └── qs@6.12.1, minimist@1.2.8, function-bind@1.1.2, define-properties@1.2.1, define-data-property@1.1.4, gopd@1.0.1, get-intrinsic@1.2.4, has-proto@1.0.3, has-symbols@1.0.3, has-property-descriptors@1.0.2, object.getownpropertydescriptors@2.1.8, array.prototype.reduce@1.0.7, is-string@1.0.7, has-tostringtag@1.0.2, call-bind@1.0.7, es-abstract@1.23.3, array-buffer-byte-length@1.0.1, arraybuffer.prototype.slice@1.0.3, available-typed-arrays@1.0.7, data-view-buffer@1.0.1, data-view-byte-length@1.0.1, data-view-byte-offset@1.0.0, es-to-primitive@1.2.1, is-date-object@1.0.5, is-symbol@1.0.4, function.prototype.name@1.1.6, functions-have-names@1.2.3, get-symbol-description@1.0.2, globalthis@1.0.4, is-array-buffer@3.0.4, is-callable@1.2.7, is-data-view@1.0.1, is-negative-zero@2.0.3, is-regex@1.1.4, is-shared-array-buffer@1.0.3, is-typed-array@1.1.13, is-weakref@1.0.2, object-inspect@1.13.1, object.assign@4.1.5, regexp.prototype.flags@1.5.2, safe-regex-test@1.0.3, string.prototype.trim@1.2.9, string.prototype.trimend@1.0.8, string.prototype.trimstart@1.0.8, typed-array-byte-length@1.0.1, typed-array-byte-offset@1.0.2, typed-array-length@1.0.6, unbox-primitive@1.0.2, has-bigints@1.0.2, which-boxed-primitive@1.0.2, is-bigint@1.0.4, is-boolean-object@1.1.2, is-number-object@1.0.7, which-typed-array@1.1.15, side-channel@1.0.6, safe-array-concat@1.1.2, resolve@1.22.8, is-core-module@2.13.1, supports-preserve-symlinks-flag@1.0.0, deep-equal@1.1.2, is-arguments@1.1.1, object-is@1.1.6, qs@6.11.0
│ └─┬ https://paulmillr.com/funding/
│   │ └── chokidar@3.6.0, async-each@1.0.6
│   └── https://github.com/sponsors/sindresorhus
│       └── binary-extensions@2.3.0, component-emitter@1.3.1, make-dir@4.0.0, p-limit@2.3.0, import-local@3.1.0, ansi-escapes@4.3.2, type-fest@0.21.3, p-each-series@2.2.0, terminal-link@2.1.1, is-docker@2.2.1, get-stream@5.2.0, is-stream@2.0.1, onetime@5.1.2, array-equal@1.0.2, read-pkg-up@7.0.1, parse-json@5.2.0
├── https://github.com/sponsors/jonschlinkert
│   └── picomatch@2.3.1
├── https://github.com/sponsors/isaacs
│   └── glob@7.2.3, rimraf@3.0.2
├── https://github.com/chalk/ansi-styles?sponsor=1
│   └── ansi-styles@4.3.0
├── https://github.com/avajs/find-cache-dir?sponsor=1
│   └── find-cache-dir@3.3.2
├─┬ https://github.com/sponsors/fb55
│ │ └── css-select@4.3.0, css-what@6.1.0, domelementtype@2.3.0
│ ├── https://github.com/fb55/domhandler?sponsor=1
│ │   └── domhandler@4.3.1
│ ├─┬ https://github.com/fb55/domutils?sponsor=1
│ │ │ └── domutils@2.8.0
│ │ └─┬ https://github.com/cheeriojs/dom-serializer?sponsor=1
│ │   │ └── dom-serializer@1.4.1
│ │   └── https://github.com/fb55/entities?sponsor=1
│ │       └── entities@2.2.0
│ └── https://github.com/fb55/nth-check?sponsor=1
│     └── nth-check@2.1.1
├── https://github.com/fb55/htmlparser2?sponsor=1
│   └── htmlparser2@6.1.0
├── https://tidelift.com/funding/github/npm/loglevel
│   └── loglevel@1.9.1
├── https://tidelift.com/funding/github/npm/sockjs-client
│   └── sockjs-client@1.6.1
└── https://github.com/sponsors/RubenVerborgh
    └── follow-redirects@1.15.6

Then if I use 'npm audit fix` I get:

up to date, audited 1334 packages in 7s

110 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install serve@14.2.3, which is a breaking change
node_modules/serve/node_modules/ajv
  serve  7.0.0 - 14.0.1
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of serve-handler
  node_modules/serve

babel-traverse  *
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
No fix available
node_modules/babel-traverse
  babel-template  *
  Depends on vulnerable versions of babel-traverse
  node_modules/babel-template
    babel-plugin-transform-es2015-modules-commonjs  <=7.0.0-beta.0
    Depends on vulnerable versions of babel-template
    node_modules/babel-plugin-transform-es2015-modules-commonjs

glob-parent  <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack-dev-server@5.0.4, which is a breaking change
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.47.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  <=4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    Depends on vulnerable versions of webpack-dev-middleware
    node_modules/webpack-dev-server

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
fix available via `npm audit fix --force`
Will install html-webpack-plugin@5.6.0, which is a breaking change
node_modules/html-minifier
  html-webpack-plugin  1.4.0 - 4.0.0-beta.14
  Depends on vulnerable versions of html-minifier
  Depends on vulnerable versions of loader-utils
  node_modules/html-webpack-plugin

jsdom  <=16.5.3
Severity: moderate
Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install jest@29.7.0, which is a breaking change
node_modules/jsdom
  jest-environment-jsdom  10.0.2 - 25.5.0
  Depends on vulnerable versions of jsdom
  node_modules/jest-environment-jsdom
    jest-config  12.1.1-alpha.2935e14d - 25.5.4
    Depends on vulnerable versions of @jest/test-sequencer
    Depends on vulnerable versions of jest-environment-jsdom
    Depends on vulnerable versions of jest-jasmine2
    node_modules/jest-config
      jest-cli  12.1.1-alpha.2935e14d || 12.1.2-alpha.6230044c - 25.5.4
      Depends on vulnerable versions of @jest/core
      Depends on vulnerable versions of jest-config
      node_modules/jest-cli
        jest  12.1.2-alpha.6230044c - 25.5.4
        Depends on vulnerable versions of @jest/core
        Depends on vulnerable versions of jest-cli
        node_modules/jest
      jest-runner  21.0.0-alpha.1 - 25.5.4
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-jasmine2
      Depends on vulnerable versions of jest-runtime
      node_modules/jest-runner
      jest-runtime  12.1.1-alpha.2935e14d - 25.5.4
      Depends on vulnerable versions of jest-config
      node_modules/jest-runtime
        @jest/test-sequencer  <=25.5.4
        Depends on vulnerable versions of jest-runner
        Depends on vulnerable versions of jest-runtime
        node_modules/@jest/test-sequencer
        jest-jasmine2  24.2.0-alpha.0 - 25.5.4
        Depends on vulnerable versions of jest-runtime
        node_modules/jest-jasmine2

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install html-webpack-plugin@5.6.0, which is a breaking change
node_modules/html-webpack-plugin/node_modules/json5
  loader-utils  <=1.4.0
  Depends on vulnerable versions of json5
  node_modules/html-webpack-plugin/node_modules/loader-utils

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install serve@14.2.3, which is a breaking change
node_modules/serve-handler/node_modules/minimatch
  serve-handler  1.1.0 - 6.1.3
  Depends on vulnerable versions of minimatch
  node_modules/serve-handler

node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install webpack-dev-server@5.0.4, which is a breaking change
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

node-notifier  <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install jest@29.7.0, which is a breaking change
node_modules/node-notifier
  @jest/reporters  <=26.4.0
  Depends on vulnerable versions of node-notifier
  node_modules/@jest/reporters
    @jest/core  <=25.5.4
    Depends on vulnerable versions of @jest/reporters
    Depends on vulnerable versions of jest-config
    Depends on vulnerable versions of jest-runner
    Depends on vulnerable versions of jest-runtime
    node_modules/@jest/core

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install jest@29.7.0, which is a breaking change
node_modules/request
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install jest@29.7.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie

webpack-dev-middleware  <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix --force`
Will install webpack-dev-server@5.0.4, which is a breaking change
node_modules/webpack-dev-middleware

36 vulnerabilities (1 low, 17 moderate, 13 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

It show a lot of vulnerabilites with packages he used and make it so unsecure. I want development some statics app for my Odoo and I'm trying development on local.

Thanks a lot. Diego.

[sdegueldre]

The result of npm audit does not constitute valid reports of security vulerabilities. As far as I'm aware none of these vulnerabilities can be exploited within Owl because these are all dev dependencies, none of them are bundled into Owl itself. Writing code into the Owl code base and then compiling Owl does not constitute a valid attack vector: users are not compiling Owl, and users would have to be adding untrusted code to Owl itself and then run it or compile it to trigger them, if you're running or compiling Owl after adding untrusted code to the code base, all bets are off.

If you can figure out a way to exploit any of these vulnerabilities in the compiled Owl runtime or Owl compiler, please follow our responsible disclosure policy outlined here: https://www.odoo.com/security-report

[Devryc]

Hi @sdegueldre. I just posted that if exist a possible to "update" or change some dev dependencies to see less vurnerabilities installed this "quick start" guide.

Thanks a lot for you explication.

[ged-odoo]

@Devryc yes, you're right, we should go through that material and update it