The latest version depends on vulnerable packages - Please consider upgrading its dependencies.

[shadowc]

# npm audit report

json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/loader-utils/node_modules/json5
  loader-utils  <=1.4.0
  Depends on vulnerable versions of json5
  node_modules/loader-utils
    generic-names  <=1.0.3
    Depends on vulnerable versions of loader-utils
    node_modules/generic-names
      postcss-modules-sync  *
      Depends on vulnerable versions of generic-names
      Depends on vulnerable versions of postcss
      Depends on vulnerable versions of postcss-modules-local-by-default
      Depends on vulnerable versions of postcss-modules-scope
      node_modules/postcss-modules-sync
        @vue/component-compiler  *
        Depends on vulnerable versions of postcss-modules-sync
        node_modules/@vue/component-compiler
          esbuild-vue  *
          Depends on vulnerable versions of @vue/component-compiler
          node_modules/esbuild-vue


postcss  <7.0.36
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
No fix available
node_modules/postcss-modules-local-by-default/node_modules/postcss
node_modules/postcss-modules-scope/node_modules/postcss
node_modules/postcss-modules-sync/node_modules/postcss
  postcss-modules-local-by-default  <=1.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-local-by-default
  postcss-modules-scope  <=1.1.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope

[apeschar]

I'm not sure whether this is fixed in later Vue 2 versions. It might be worth checking. I'm not planning to do so at this time. PRs are welcome.

However any vulnerabilities won't impact users, unless they are compiling untrusted Vue components.