A dependency(jsdoc 3.6.3) has high severity vulnerabilities

[microaaron]

https://github.com/x3dom/x3dom/blob/2f5f5c8bcb6c065c945364956ba131a30a4fbded/package.json#L38

# npm audit report

taffydb  *
Severity: high
TaffyDB can allow access to any data items in the DB - https://github.com/advisories/GHSA-mxhp-79qh-mcx6
fix available via `npm audit fix --force`
Will install jsdoc@4.0.2, which is a breaking change
node_modules/taffydb
  jsdoc  3.2.0-dev - 3.6.11
  Depends on vulnerable versions of taffydb
  node_modules/jsdoc

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

But documentation cannot be built after upgrading to jsdoc 4.0.2.

FATAL: Unable to load template: Cannot find module 'taffydb'

[microaaron]

TaffyDB is just for building documents. It may not be a serious problem.

[andreasplesch]

Agreed, not critical. Do you know if jsdoc mentions an upgrade path ?

[microaaron]

jsdoc 4.x.x no longer depends on TaffyDB, but https://github.com/x3dom/x3dom/blob/master/build/jsdoc/jsdoc-template/publish.js still depends on TaffyDB. After upgrading jsdoc to 4.0.2, add taffydb in "devDependencies", and the documents can be built.

"jsdoc": "^4.0.2",
"taffydb": "^2.7.3"

Of course, npm will still report high severity vulnerabilities.

[andreasplesch]

Thanks. Do you want to try replacing taffy with

https://snyk.io/advisor/npm-package/@jsdoc/salty ?

[microaaron]

There is a problem with @jsdoc/salty: {isUndefined: false} cannot be parsed. https://github.com/x3dom/x3dom/blob/2f5f5c8bcb6c065c945364956ba131a30a4fbded/build/jsdoc/jsdoc-template/publish.js#L522

[andreasplesch]

Tthanks for giving it a shot. Apparently salty does not implement that. Let's close the issue for now. Perhaps there will be a response upstream.

[microaaron]

Tthanks for giving it a shot. Apparently salty does not implement that. Let's close the issue for now. Perhaps there will be a response upstream.

@andreasplesch Salty now fixed this problem.