Open frudolph77 opened 2 years ago
With node v16.13.0
it's even worse:
$ npm install
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated mkdirp@0.3.0: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
added 1248 packages, and audited 1249 packages in 27s
80 packages are looking for funding
run `npm fund` for details
30 vulnerabilities (14 moderate, 16 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
$ npm audit
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/cliui/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/cliui/node_modules/strip-ansi
node_modules/wrap-ansi/node_modules/strip-ansi
node_modules/yargs/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/cliui
yargs 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
node_modules/yargs
webpack-dev-server 2.0.0-beta - 3.11.3
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/cliui/node_modules/string-width
node_modules/wrap-ansi/node_modules/string-width
node_modules/yargs/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/wrap-ansi
webpackbar 3.0.0-0 - 3.2.0
Depends on vulnerable versions of wrap-ansi
node_modules/webpackbar
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install vuepress@0.14.11, which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
@vuepress/core <=1.8.2
Depends on vulnerable versions of chokidar
node_modules/@vuepress/core
vuepress 1.0.0-alpha.0 - 1.8.2
Depends on vulnerable versions of @vuepress/core
node_modules/vuepress
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.3
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
copy-webpack-plugin 5.0.1 - 5.1.2
Depends on vulnerable versions of glob-parent
node_modules/copy-webpack-plugin
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
@vuepress/shared-utils *
Depends on vulnerable versions of globby
node_modules/@vuepress/shared-utils
@vuepress/markdown <=1.8.2
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/@vuepress/markdown
@vuepress/markdown-loader *
Depends on vulnerable versions of @vuepress/markdown
node_modules/@vuepress/markdown-loader
@vuepress/plugin-register-components <=1.8.2
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/@vuepress/plugin-register-components
vuepress-plugin-container >=2.1.5
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/vuepress-plugin-container
nth-check <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
30 vulnerabilities (14 moderate, 16 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Unfortunately npm audit fix
wont fix anything because of an open issue @npm/cli
I needed to dig deep to get the information that i wanted so here is what i found: There is already a open Pull request https://github.com/vuejs/vuepress/pull/2690 since 2020 But they are all updated in the next major release https://github.com/vuepress/vuepress-next
Just FYI this repo is deprecated and will continue to accrue security and dependency deprecation issues.
From the readme:
VuePress is now in maintenance mode. For a next-gen Vue-based SSG built on top of Vue 3 + Vite, check out VitePress.
It is frustrating that a google for vuepress goes to vuepress 1.x and there is no clear mention you are on a deprecated project. Almost like putting the gun in your hand, pointing it at your foot and saying "you should be more careful!"
This is "vuepress-next": https://v2.vuepress.vuejs.org/
Bug report
Steps to reproduce
What is expected?
Zero security vulnerability
What is actually happening?
Twelve security vulnerability
Other relevant information
npx vuepress info
in my VuePress project:If have deep dived into the modules
Regarding chalk
Newest Version of
chalk
is 4.1.2, and has no dependency tohas-ansi
since at least 2.0.0 All other vulnerabilities should be fix with newer versions ofwebpack-dev-server
andwebpackbar
. All the libs denpending onansi-regex
are using a newer versions.Regarding glob-parent
Updating
globby
,chokidar
,copy-webpack-plugin
should fix it, libs denpending onglob-parent
are using a newer versions.