Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm / yarn audit #371

Closed
BAllendorf-OneFiber opened this issue Jun 22, 2022 · 3 comments
Closed

npm / yarn audit #371

BAllendorf-OneFiber opened this issue Jun 22, 2022 · 3 comments

Comments

@BAllendorf-OneFiber
Copy link

Hey everyone,

I've noted that running yarn audit (which, in contrast to npm, isn't run each time one installs packages) results in:

[...]
10 vulnerabilities found - Packages audited: 789
Severity: 2 Low | 2 Moderate | 6 High

Running yarn install additional prints several warnings:

warning workspace-aggregator-9c779bdc-89cf-4689-b83d-ba10f626e9be > qwc2 > form-data-entries@1.0.4: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
[2/4] Fetching packages...
warning geotiff@1.0.9: The engine "browsers" appears to be invalid.
[3/4] Linking dependencies...
warning " > babel-loader@8.2.3" has unmet peer dependency "@babel/core@^7.0.0".
warning "workspace-aggregator-9c779bdc-89cf-4689-b83d-ba10f626e9be > qwc2 > react-html-parser@2.0.2" has incorrect peer dependency "react@^0.14.0 || ^15.0.0 || ^16.0.0-0".

I think this is in part due to the usage of fixed version numbers both in the demo's package.json and also qwc2's. I guess at least Patch Releases, better also Minor Releases, should be allowed (https://docs.npmjs.com/about-semantic-versioning)?
@manisandro
Copy link
Member

The incorrect peer dependencies are issues with the packages themselves, not much to be done about that on qwc2 side (except if a newer upstream version is out which fixes the issue).

Regarding the babel issue, the current setup should have

 "@babel/core": "7.15.8",

in qwc2/package.json and

"babel-loader": "8.2.3",

in the app package.json, which should satisfy the dependency. I'd say it's up to the app package.json to respect the dependencies provided by qwc2/packages.json?

@BAllendorf-OneFiber
Copy link
Author

Hey @manisandro, thanks for your reply!

I guess the problem lies with “except if a newer upstream version is out“. Right now, because of the strict package numbers, the update needs to be done manually and thus probably only happens sporadically. There are only a few reasons to exactly fix a version instead of using the caret (^) but in qwc2 (and the demo project) most versions are.

Changing "webpack-dev-server": "4.3.1" to "webpack-dev-server": "^4.3.1" already resolves most of the security issues (without any breaking changes, thanks to SemVer).

Then, package.json and yarn.lock are out of sync or outdated, because either doing yarn upgrade or removing the yarn.lock and then running yarn install results in even fewer security warnings.

Finally, “Arbitrary Code Execution in underscore” remains. Even though there is a fix available, qwc2 depends directly on country-language which appears to be not supported anymore and hasn’t updated its dependencies correctly (therefore, it shouldn’t be used anymore?).

Digging into this revealed more opportunities for improvement (besides security issues or multiple bable versions)) like upgrading core-js to >=3.23.3 because the usage of v3.19.0 is discouraged.

@manisandro
Copy link
Member

I've relaxed the version constraints throughout using ^.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manisandro @BAllendorf-OneFiber