[#32738] - [4] NPM "3 high severity vulnerabilities"
- Closed
- 15 Apr 2021
- Medium
- Build: staging
- # 32738
Steps to reproduce the issue
git checkout 4.0-dev
npm ci
Expected result
No vulnerabilities in dependancies.
Actual result
Timer: Build finished in 35536 ms
added 1024 packages, and audited 1025 packages in 44s
12 packages are looking for funding
run `npm fund` for details
3 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
System information (as much as possible)
Mac.
Additional comments
Im aware that this is an ongoing issue, I wonder if there is now a plan on how the project will be dealing with this via automation going forward?
running npm audit fix --force currently gives
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating rollup-plugin-vue to 6.0.0,which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN Found: vue@2.6.12
npm WARN node_modules/vue
npm WARN vue@"^2.6.12" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer vue@"3.0.7" from @vue/compiler-sfc@3.0.7
npm WARN node_modules/@vue/compiler-sfc
npm WARN peer @vue/compiler-sfc@"*" from rollup-plugin-vue@6.0.0
npm WARN node_modules/rollup-plugin-vue
added 25 packages, removed 124 packages, changed 4 packages, and audited 926 packages in 6s
13 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
joomla-cms-bot
- | Labels |
Added:
?
|
||
| Title |
|
||||||
so we need a manually created PR when someone can be bothered to at the moment ? :-) is that what you mean by Merge Back ?
we just need a clear statement on what are the minimum requirements for node npm etc....
just that
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-03-18 19:14:12 |
| Closed_By | ⇒ | PhilETaylor |
| Status | Closed | ⇒ | New |
| Closed_Date | 2021-03-18 19:14:12 | ⇒ | |
| Closed_By | PhilETaylor | ⇒ |
Actually, at some point, someone needs to bite the bullet and update vue to version 3. Anyways I'll check if there's a workaround here (obviously I'm not willing to do the vue upgrade)
Not that easy, anyways PR: vuejs/rollup-plugin-vue#433
Thanks for taking a look. I know my own limitations :)
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-04-15 18:32:05 |
| Closed_By | ⇒ | PhilETaylor |
Timer: Build finished in 35901 ms
added 927 packages, and audited 928 packages in 41s
116 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
Therefore closing.
@PhilETaylor just run
npm audit fixand merge back the package.json and the lock file (this should be automated for minor patch version)