@vue/cli-shared-utils have execa@1.0.0 as a dependency that have security issues (4 years old)

[Spronghi]

Version

5.0.4

Reproduction link

github.com

Environment info

  System:
    OS: macOS 12.3.1
    CPU: (8) x64 Intel(R) Core(TM) i5-1038NG7 CPU @ 2.00GHz
  Binaries:
    Node: 14.18.2 - ~/.nvm/versions/node/v14.18.2/bin/node
    Yarn: Not Found
    npm: 6.14.15 - ~/.nvm/versions/node/v14.18.2/bin/npm
  Browsers:
    Chrome: 101.0.4951.54
    Edge: Not Found
    Firefox: 99.0.1
    Safari: 15.4
  npmPackages:
    @vue/cli-shared-utils: ^5.0.4 => 5.0.4 
  npmGlobalPackages:
    @vue/cli: 5.0.3

Steps to reproduce

just init a project and install @vue/cli-service, the latest version:

mkdir execa-issue
npm init
npm install --save-dev @vue/cli-shared-utils

What is expected?

Is expected that dependencies are updated time to time, execa@1.0.0 is 4 years old and comes with security issues

What is actually happening?

execa@1.0.0 is a direct dependency of this library

[haoqunjiang]

comes with security issues

Can you elaborate? It's old but I never knew it had any security issues.

[haoqunjiang]

https://snyk.io/test/npm/execa/1.0.0

[Spronghi]

Please have a look at this: sindresorhus/os-name#11
Also.. I know about a lot of static scanner like sonar or nexus that doesn't allow to have dependencies older then 3 years. The reason is that is difficult to take track of issues if the library is not used by many people anymore..
Would it be difficult to update it?

[haoqunjiang]

Please have a look at this: sindresorhus/os-name#11

I don't see how the preferLocal feature can be exploited when using Vue CLI. I don't think it's a vulnerability here.

Also.. I know about a lot of static scanner like sonar or nexus that doesn't allow to have dependencies older then 3 years. The reason is that is difficult to take track of issues if the library is not used by many people anymore..

That's too arbitrary and unreasonable.
For example, source-map, one of the most widely used packages in the JavaScript ecosystem, does not meet this requirement.

Would it be difficult to update it?

Yes. Too many breaking changes yet too little gain.

[Spronghi]

Ok that's completely fine. Thanks a lot for your time!