Open
Description
- I confirm that this is an issue rather than a question.
Bug report
Steps to reproduce
$ npx create-vuepress-site
$ cd docs
$ npm install
...
found 12 vulnerabilities (7 moderate, 5 high)
run `npm audit fix` to fix them, or `npm audit` for details
$ npm audit
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpackbar > wrap-ansi > │
│ │ string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > wrap-ansi > string-width > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpackbar > wrap-ansi > │
│ │ strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > yargs > │
│ │ cliui > wrap-ansi > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-93q8-gq69-wqmw │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Inefficient Regular Expression Complexity in nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > │
│ │ optimize-css-assets-webpack-plugin > cssnano > │
│ │ cssnano-preset-default > postcss-svgo > svgo > css-select > │
│ │ nth-check │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-rp65-9cf3-cjxr │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular expression denial of service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > chokidar > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > webpack-dev-server > chokidar > │
│ │ glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > @vuepress/shared-utils > globby │
│ │ > fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > @vuepress/markdown > │
│ │ @vuepress/shared-utils > globby > fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ vuepress > @vuepress/core > @vuepress/markdown-loader > │
│ │ @vuepress/markdown > @vuepress/shared-utils > globby > │
│ │ fast-glob > glob-parent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 12 vulnerabilities (7 moderate, 5 high) in 1232 scanned packages
12 vulnerabilities require manual review. See the full report for details.
What is expected?
Zero security vulnerability
What is actually happening?
Twelve security vulnerability
Other relevant information
- Output of
npx vuepress infoin my VuePress project:
Environment Info:
System:
OS: Linux 5.4 Ubuntu 18.04.6 LTS (Bionic Beaver)
CPU: (8) x64 Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz
Binaries:
Node: 14.16.0 - ~/.nvm/versions/node/v14.16.0/bin/node
Yarn: 1.22.5 - /usr/bin/yarn
npm: 6.14.11 - ~/.nvm/versions/node/v14.16.0/bin/npm
Browsers:
Chrome: 95.0.4638.69
Firefox: 94.0
npmPackages:
@vuepress/core: 1.8.2
@vuepress/theme-default: 1.8.2
vuepress: ^1.5.3 => 1.8.2
npmGlobalPackages:
vuepress: Not Found
If have deep dived into the modules
- Regarding chalk
VuePress@0.0.1 /home/.../VuePress/docs
└─┬ vuepress@1.8.2
├─┬ @vuepress/core@1.8.2
│ ├─┬ vue-server-renderer@2.6.14
│ │ └─┬ chalk@1.1.3
│ │ └─┬ has-ansi@2.0.0
│ │ └── ansi-regex@2.1.1 deduped
│ ├─┬ webpack-dev-server@3.11.3
│ │ ├─┬ strip-ansi@3.0.1
│ │ │ └── ansi-regex@2.1.1
│ │ └─┬ yargs@13.3.2
│ │ ├─┬ cliui@5.0.0
│ │ │ └─┬ strip-ansi@5.2.0
│ │ │ └── ansi-regex@4.1.0
│ │ └─┬ string-width@3.1.0
│ │ └─┬ strip-ansi@5.2.0
│ │ └── ansi-regex@4.1.0
│ └─┬ webpackbar@3.2.0
│ └─┬ wrap-ansi@5.1.0
│ └─┬ strip-ansi@5.2.0
│ └── ansi-regex@4.1.0
└─┬ update-notifier@4.1.3
└─┬ boxen@4.2.0
├─┬ ansi-align@3.0.1
│ └─┬ string-width@4.2.3
│ └─┬ strip-ansi@6.0.1
│ └── ansi-regex@5.0.1
├─┬ string-width@4.2.3
│ └─┬ strip-ansi@6.0.1
│ └── ansi-regex@5.0.1
└─┬ widest-line@3.1.0
└─┬ string-width@4.2.3
└─┬ strip-ansi@6.0.1
└── ansi-regex@5.0.1
Newest Version of chalk is 4.1.2, and has no dependency to has-ansi since at least 2.0.0
All other vulnerabilities should be fix with newer versions of webpack-dev-server and webpackbar.
All the libs denpending on ansi-regex are using a newer versions.
- Regarding glob-parent
VuePress@0.0.1 /home/.../VuePress/docs
└─┬ vuepress@1.8.2
└─┬ @vuepress/core@1.8.2
├─┬ @vuepress/shared-utils@1.8.2
│ └─┬ globby@9.2.0
│ └─┬ fast-glob@2.2.7
│ └── glob-parent@3.1.0 deduped
├─┬ chokidar@2.1.8
│ └── glob-parent@3.1.0
├─┬ copy-webpack-plugin@5.1.2
│ └── glob-parent@3.1.0 deduped
└─┬ webpack@4.46.0
└─┬ watchpack@1.7.5
└─┬ chokidar@3.5.2
└── glob-parent@5.1.2
Updating globby,chokidar,copy-webpack-plugin should fix it, libs denpending on glob-parent are using a newer versions.
Metadata
Metadata
Assignees
Labels
No labels