1

I am having issues with npm run build on my Vue app since updating npm.

I was first receiving some eslint related errors so I updated

"eslint": "^6.7.2"

To

 "eslint": "^6.8.0"

After this I got a recommendation to run npm audit fix which returns a high severity message, referring to glob-parent <5.1.2 as well as moderate severity for nanoid.

# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/vue-cli-plugin-vuetify/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/vue-cli-plugin-vuetify/node_modules/webpack

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install @vue/cli-plugin-unit-mocha@4.5.17, which is a breaking change
node_modules/mocha/node_modules/nanoid
  mocha  8.2.0 - 9.1.4
  Depends on vulnerable versions of nanoid
  node_modules/mocha
    @vue/cli-plugin-unit-mocha  >=5.0.0-alpha.0
    Depends on vulnerable versions of mocha
    node_modules/@vue/cli-plugin-unit-mocha

8 vulnerabilities (3 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Despite what the above message says npm audit fix --force fails to fix these issues.

Right now, this is what the dev dependencies looks like in my package.json.

"devDependencies": {
    "@mdi/font": "^5.1.45",
    "@types/chai": "^4.2.11",
    "@types/lodash": "^4.14.150",
    "@types/mocha": "^5.2.4",
    "@types/node": "^13.13.5",
    "@typescript-eslint/eslint-plugin": "^2.26.0",
    "@typescript-eslint/parser": "^2.26.0",
    "@vue/cli-plugin-babel": "^5.0.4",
    "@vue/cli-plugin-e2e-cypress": "^5.0.4",
    "@vue/cli-plugin-eslint": "^5.0.4",
    "@vue/cli-plugin-pwa": "^5.0.4",
    "@vue/cli-plugin-router": "^5.0.4",
    "@vue/cli-plugin-typescript": "^5.0.4",
    "@vue/cli-plugin-unit-mocha": "^5.0.4",
    "@vue/cli-plugin-vuex": "^5.0.4",
    "@vue/cli-service": "^5.0.4",
    "@vue/eslint-config-prettier": "^6.0.0",
    "@vue/eslint-config-typescript": "^5.0.2",
    "@vue/test-utils": "1.0.0-beta.31",
    "chai": "^4.1.2",
    "eslint": "^6.8.0",
    "eslint-plugin-prettier": "^3.1.1",
    "eslint-plugin-vue": "^6.2.2",
    "prettier": "^1.19.1",
    "sass": "^1.19.0",
    "sass-loader": "^8.0.0",
    "typescript": "~3.8.3",
    "vue-cli-plugin-vuetify": "~2.0.5",
    "vue-cli-plugin-vuetify-preset-fortnightly": "^1.0.3",
    "vue-loader": "^15.9.2",
    "vue-template-compiler": "^2.6.11",
    "vuetify-loader": "^1.3.0",
    "vuex-class": "^0.3.2",
    "vuex-module-decorators": "^0.17.0"
  }

As you can see, I do not have a glob-parent package in my dependencies currently. However, for the moment, I don't want to run any more npm installs/commands before I know more what I am doing.

If anyone can advise me on how to move forward I would much appreciate it.

mikeym
  • 5,705
  • 8
  • 42
  • 62

1 Answers1

1

receiving some eslint related errors, which ones? Was it related to a specific version of ESlint that was getting a bug? Regarding the vulnerabilities, still the TLDR is: "it's fine if you don't have something highly critical". Updating dependecies comes down to your project, do you need some high stability (subjective depending of the packages) or something bleeding-edge while being fully tested? This is all depending on what you're doing with your packages and requires proper consulting.

Also, I'd say that devDependecies are usually less critical anyway, because it's not something that is on runtime for your end-users/clients. But the JS world is moving quickly, so it all comes down on what you use, what is the end goal. Some projects update some dependecies every year, some update it every 2 days. Depends of the project, depends of the package, depends on what you're doing with it, depends if it's needed, needed for what also (fixing a bug, adding a feature, being faster). If the question is: "do I need to update something", the answer is: "it depends".

Of course, here we suppose that nothing is an open breach leaking personal data on your homepage (which I assume, is not the case). But getting audit warnings is nothing to worry too much about, because this is how the JS ecosystem works overall. Also, the devil is in the details. Check the vulnerabilities to see if you feel concerned or if it is critical (overall or for your company). Think about upgrading a package? Check from the version currently installed to the one you think upgrading to, by reading the changelogs/breaking changes/features/etc.

No universal answer possible here, given the context and the fact that it depends of your project.

Want to know more what you're doing with your dependencies? First idea would be to start reading some documentation regarding semver, vulnerabilities, what is a lock file used for, how is a dependency tree working, etc... Pretty sure there are quite a lot of resources on that subject.

kissu
  • 40,416
  • 14
  • 65
  • 133