npm install vulnerabilities

[dkebler]

just wondering if it's an issue that npm reports this.

$ npm install

added 1098 packages, and audited 1099 packages in 2m

14 vulnerabilities (6 moderate, 5 high, 3 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

[xoxys]

Not optimal but not an issue as it only affects build dependencies and has no impact to the resulting JS that is part of the theme after the build. Two ways to verify it:

1. Omit dev dpendencies:

❯ npm audit --omit dev
found 0 vulnerabilities

2. Use dry-run to get the dependency chain for the affected packages:

❯ npm audit fix --dry-run

added 1 package, changed 59 packages, and audited 1100 packages in 5s

# npm audit report

jpeg-js  <0.4.0
Severity: moderate
Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js
node_modules/resize-img/node_modules/jpeg-js
  jimp  <=0.3.5
  Depends on vulnerable versions of jpeg-js
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of url-regex
  node_modules/resize-img/node_modules/jimp
    resize-img  <=1.1.2
    Depends on vulnerable versions of jimp
    Depends on vulnerable versions of jpeg-js
    
      to-ico  >=1.1.0
      Depends on vulnerable versions of resize-img
      node_modules/to-ico
        favicons  4.8.3 - 7.0.0-beta.3
        Depends on vulnerable versions of sharp
        Depends on vulnerable versions of to-ico
        node_modules/favicons
          favicons-webpack-plugin  >=1.0.0
          Depends on vulnerable versions of favicons
          node_modules/favicons-webpack-plugin

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/resize-img/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/resize-img/node_modules/mkdirp
    jimp  <=0.3.5
    Depends on vulnerable versions of jpeg-js
    Depends on vulnerable versions of mkdirp
    Depends on vulnerable versions of url-regex
    node_modules/resize-img/node_modules/jimp
      resize-img  <=1.1.2
      Depends on vulnerable versions of jimp
      Depends on vulnerable versions of jpeg-js
      
        to-ico  >=1.1.0
        Depends on vulnerable versions of resize-img
        node_modules/to-ico
          favicons  4.8.3 - 7.0.0-beta.3
          Depends on vulnerable versions of sharp
          Depends on vulnerable versions of to-ico
          node_modules/favicons
            favicons-webpack-plugin  >=1.0.0
            Depends on vulnerable versions of favicons
            node_modules/favicons-webpack-plugin

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      svg-sprite  1.4.0 - 1.5.4
      Depends on vulnerable versions of svgo
      node_modules/svg-sprite

sharp  <0.30.5
Severity: moderate
Possible vulnerability in sharp at 'npm install' time if an attacker has control over build environment - https://github.com/advisories/GHSA-gp95-ppv5-3jc5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/sharp
  favicons  4.8.3 - 7.0.0-beta.3
  Depends on vulnerable versions of sharp
  Depends on vulnerable versions of to-ico
  node_modules/favicons
    favicons-webpack-plugin  >=1.0.0
    Depends on vulnerable versions of favicons
    node_modules/favicons-webpack-plugin

url-regex  *
Severity: high
Regular expression denial of service in url-regex - https://github.com/advisories/GHSA-v4rh-8p82-6h5w
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change

  jimp  <=0.3.5
  Depends on vulnerable versions of jpeg-js
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of url-regex
  node_modules/resize-img/node_modules/jimp
    resize-img  <=1.1.2
    Depends on vulnerable versions of jimp
    Depends on vulnerable versions of jpeg-js
    
      to-ico  >=1.1.0
      Depends on vulnerable versions of resize-img
      node_modules/to-ico
        favicons  4.8.3 - 7.0.0-beta.3
        Depends on vulnerable versions of sharp
        Depends on vulnerable versions of to-ico
        node_modules/favicons
          favicons-webpack-plugin  >=1.0.0
          Depends on vulnerable versions of favicons
          node_modules/favicons-webpack-plugin

14 vulnerabilities (7 moderate, 6 high, 1 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force