I am having issues with npm run build
on my Vue app since updating npm
.
I was first receiving some eslint
related errors so I updated
"eslint": "^6.7.2"
To
"eslint": "^6.8.0"
After this I got a recommendation to run npm audit fix
which returns a high severity message, referring to glob-parent <5.1.2
as well as moderate severity for nanoid
.
# npm audit report
glob-parent <5.1.2
Severity: high
Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/vue-cli-plugin-vuetify/node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/vue-cli-plugin-vuetify/node_modules/webpack
nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install @vue/cli-plugin-unit-mocha@4.5.17, which is a breaking change
node_modules/mocha/node_modules/nanoid
mocha 8.2.0 - 9.1.4
Depends on vulnerable versions of nanoid
node_modules/mocha
@vue/cli-plugin-unit-mocha >=5.0.0-alpha.0
Depends on vulnerable versions of mocha
node_modules/@vue/cli-plugin-unit-mocha
8 vulnerabilities (3 moderate, 5 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Despite what the above message says npm audit fix --force
fails to fix these issues.
Right now, this is what the dev dependencies looks like in my package.json
.
"devDependencies": {
"@mdi/font": "^5.1.45",
"@types/chai": "^4.2.11",
"@types/lodash": "^4.14.150",
"@types/mocha": "^5.2.4",
"@types/node": "^13.13.5",
"@typescript-eslint/eslint-plugin": "^2.26.0",
"@typescript-eslint/parser": "^2.26.0",
"@vue/cli-plugin-babel": "^5.0.4",
"@vue/cli-plugin-e2e-cypress": "^5.0.4",
"@vue/cli-plugin-eslint": "^5.0.4",
"@vue/cli-plugin-pwa": "^5.0.4",
"@vue/cli-plugin-router": "^5.0.4",
"@vue/cli-plugin-typescript": "^5.0.4",
"@vue/cli-plugin-unit-mocha": "^5.0.4",
"@vue/cli-plugin-vuex": "^5.0.4",
"@vue/cli-service": "^5.0.4",
"@vue/eslint-config-prettier": "^6.0.0",
"@vue/eslint-config-typescript": "^5.0.2",
"@vue/test-utils": "1.0.0-beta.31",
"chai": "^4.1.2",
"eslint": "^6.8.0",
"eslint-plugin-prettier": "^3.1.1",
"eslint-plugin-vue": "^6.2.2",
"prettier": "^1.19.1",
"sass": "^1.19.0",
"sass-loader": "^8.0.0",
"typescript": "~3.8.3",
"vue-cli-plugin-vuetify": "~2.0.5",
"vue-cli-plugin-vuetify-preset-fortnightly": "^1.0.3",
"vue-loader": "^15.9.2",
"vue-template-compiler": "^2.6.11",
"vuetify-loader": "^1.3.0",
"vuex-class": "^0.3.2",
"vuex-module-decorators": "^0.17.0"
}
As you can see, I do not have a glob-parent
package in my dependencies currently. However, for the moment, I don't want to run any more npm installs/commands before I know more what I am doing.
If anyone can advise me on how to move forward I would much appreciate it.