search

remix-run / blues-stack

The Remix Stack for deploying to Fly with PostgreSQL, authentication, testing, linting, formatting, etc.
https://remix.run/stacks
MIT License
961 stars 236 forks source link

Multiple high severity vulnerabilities warnings while installing Remix Blues stack #24

Closed binajmen closed 2 years ago

binajmen commented 2 years ago

What version of Remix are you using?

latest via npx create-remix

Steps to Reproduce

Run npx create-remix --template remix-run/blues-stack in console

Expected Behavior

No severe warnings

Actual Behavior

➜  ~/Projects  npx create-remix --template remix-run/blues-stack
Need to install the following packages:
  create-remix
Ok to proceed? (y) y
💿 Welcome to Remix! Let's get you set up with a new project.

npm WARN deprecated rollup-plugin-inject@3.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.
? Where would you like to create your app? ./my-project
? Do you want me to run `npm install`? Yes
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated rollup-plugin-inject@3.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-inject.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.

> postinstall
> remix setup node

Successfully setup Remix for node.

added 1212 packages, and audited 1213 packages in 53s

230 packages are looking for funding
  run `npm fund` for details

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
💿 Running remix.init script
Setup is almost complete. Follow these steps to finish initialization:

- Start the database:
  npm run docker

- Run setup:
  npm run setup

- You're now ready to rock and roll 🤘
  npm run dev
💿 That's it! `cd` into "/Users/benjamin/Projects/my-project" and check the README for development and deploy instructions!
➜  ~/Projects  cd my-project
➜  ~/Projects/my-project  npm audit    
# npm audit report

trim-newlines  <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install @remix-run/dev@1.2.3, which is a breaking change
node_modules/chalk-animation/node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/chalk-animation/node_modules/meow
    chalk-animation  >=1.4.0
    Depends on vulnerable versions of meow
    node_modules/chalk-animation
      @remix-run/dev  <=0.0.0-experimental-fde68a7 || >=1.3.0-pre.1
      Depends on vulnerable versions of chalk-animation
      node_modules/@remix-run/dev

4 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
machour commented 2 years ago

Thinking out loud: should we enable dependabot for stacks?

MichaelDeBoey commented 2 years ago

@machour I know @kentcdodds isn't a fan of using @dependabot, although I think it can be valuable tbh.

MichaelDeBoey commented 2 years ago

@binajmen I just updated all dependencies in #25 (did this for all stacks), but I still get these 4 severity vulnerabilities warnings, so nothing else we can do for now I'm afraid 🤷‍♂️

binajmen commented 2 years ago

@MichaelDeBoey no problem on my side. As I suppose these kind of warnings will trigger future remix'ers, it is still good to acknowledge it here.

It seems to be a false positive anyway: https://github.com/sindresorhus/trim-newlines/issues/8#issuecomment-879693347

No, it's not serious. It's just a "vulnerability" that may affect 0.0000001% of users, but waste the time of everyone.

I leave it to you to decide whether or not you want to keep the issue open ;)

MichaelDeBoey commented 2 years ago

@binajmen Strange, as I still get them when removing node_modules & package-lock.json and running npm i 🤔

binajmen commented 2 years ago

By false positive, I meant "classified as not a serious vulnerability" by the author.

This is supposed to be a 4 lines package 😄 https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91

kentcdodds commented 2 years ago

The issue is not with the blues stack but with transitive dependencies. We can't do anything about those in this repo, so I'll close this issue. Feel free to open PRs in the deps to fix these issues.

MichaelDeBoey commented 2 years ago

@binajmen I've created a PR to remove the unused chalk-animation dependency, which is causing this warning: https://github.com/remix-run/remix/pull/2547

isaacs commented 2 years ago

In the meantime: https://github.com/remix-run/remix/issues/2373#issuecomment-1098271175

MichaelDeBoey commented 2 years ago

https://github.com/remix-run/remix/pull/2547 is merged, so it will be released when 3.4.0 gets released. Once that's done, we'll update the package-lock.json of all stacks, which should fix these warnings