How to resolve 5 high severity vulnerabilities in npm audit report for glob-parent, chokidar, watchpack-chokidar2, and webpack?

Question

I have Laravel, Inertia, Vue 3 stack project. And when i run npm install there is have 5 high severity vulnerabilities. And i run npm audit, then the error is:

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/vue-share-buttons/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/vue-share-buttons/node_modules/webpack

5 high severity vulnerabilities

To address all issues, run:
  npm audit fix

I want to fix this message, although this error not affected by to my project, and my project still working normally. I have already run npm audit fix again, but its still return same error.

My package.json

{
    "private": true,
    "scripts": {
        "dev": "npm run development",
        "development": "mix",
        "watch": "mix watch",
        "watch-poll": "mix watch -- --watch-options-poll=1000",
        "hot": "mix watch --hot",
        "prod": "npm run production",
        "production": "mix --production"
    },
    "devDependencies": {
        "axios": "^0.25",
        "laravel-mix": "^6.0.6",
        "lodash": "^4.17.19",
        "postcss": "^8.1.14",
        "vue-loader": "^16.8.3"
    },
    "dependencies": {
        "@inertiajs/vue3": "^1.0.0",
        "@tabler/icons-vue": "^2.1.2",
        "@tinymce/tinymce-vue": "^4.0.7",
        "@vueform/multiselect": "^2.5.1",
        "maska": "^1.5.0",
        "moment": "^2.29.4",
        "sass": "^1.55.0",
        "vue": "^3.2.29",
        "vue-chart-3": "^3.1.2",
        "vue-easy-lightbox": "^1.8.2",
        "vue-meta": "^3.0.0-alpha.10",
        "vue-recaptcha": "^2.0.3",
        "vue-share-buttons": "^1.0.4",
        "vue-sweetalert2": "^5.0.2",
        "vue3-carousel": "^0.1.40"
    }
}

score 1 · Answer 1 · answered Mar 10 '23 at 14:18

I was able to resolve this by forcing the resolution for glob-parent to a version > 6.

Add this to the "scripts" section of you package.json

  "scripts": {
    ...,
    "preinstall": "npx npm-force-resolutions"
  },

than add a new sibling to "scripts" called "resolutions" like so:


  "scripts": {
    ...,
    "preinstall": "npx npm-force-resolutions"
  },

  "resolutions": {
    "glob-parent": "^6.0.1"
  },

then, run nmp i and possible provide a y when asked to install a new package

  Need to install the following packages:
  npm-force-resolutions@0.0.10
  Ok to proceed? (y) y

then, you can check with npm audit and I also recommend checking with npm audit --omit=dev in case other warns or errors are only caused by development dependencies.

Some references and good source for information about NPM Audit warnings and errors.

https://overreacted.io/npm-audit-broken-by-design/

https://stackoverflow.com/a/68489125/13078911

https://stackoverflow.com/a/68342168/13078911

How to resolve 5 high severity vulnerabilities in npm audit report for glob-parent, chokidar, watchpack-chokidar2, and webpack?

1 Answers1