Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[project] Unused npm-watch dependency #200

Open
miqmago opened this issue Sep 4, 2023 · 4 comments
Open

[project] Unused npm-watch dependency #200

miqmago opened this issue Sep 4, 2023 · 4 comments

Comments

@miqmago
Copy link

miqmago commented Sep 4, 2023

The @trapezedev/project depends on npm-watch but it seems not to be used anywhere.

npm-watch seems not to be regularly mantained. npm-watch depends on nodemon@^2.0.7 (06/01/2021).
Right now nodemon is 3.0.1.

On an npm audit fix it raises a Severity: moderate

Maybe this dependency could be removed if not used anywhere.
@chacabuk
Copy link

chacabuk commented Sep 7, 2023

Depends too on mergexml that seems not to be regularly mantained and depend on deprecated "formidable": "^1.2.1"

@Ericlm
Copy link

Ericlm commented Sep 28, 2023

Just wanted to give support to this issue, as npm-watch is blocking updates of nodemon, and triggers vulnerability warning :)

@AntiGuideAkquinet AntiGuideAkquinet mentioned this issue Apr 26, 2024
Open
@Ericlm
Copy link

Ericlm commented Apr 30, 2024

npm-watch received a recent release to address the nodemon dependency.
However, as @trapezedev/project is using npm-watch from 0.9.0 instead of 0.12.0, it continues to trigger audit warnings.
I think the simplest way is to remove the dependency as suggested, or at least upgrade npm-watch to ^0.12.0

yndajas added a commit to yndajas/hakubun that referenced this issue Jul 10, 2024
@yndajas
Update moderately vulnerable dev dependency
1700f67 
This shouldn't be too big of a deal, since it's just a dev dependency
and it's of moderate vulnerability, not high, but I thought I might as
well after fixing the high severity vulnerabilities

[semver versions 7.0.0-7.5.2 are
vulnerable](GHSA-c2qf-rxjj-qqgw)

- Dev dependency @capacitor/assets 3.0.4 relies on @trapezedev/project
  7.0.10
- [@trapezedev/project 7.0.10 relies on npm-watch
  ^0.9.0](https://github.com/ionic-team/trapeze/blob/main/packages/project/package.json),
  but it's not actually listed in the
  [lockfile](https://github.com/ionic-team/trapeze/blob/main/packages/project/package-lock.json).
  There's no more recent version of @trapezedev/project. [An issue has
  been raised](ionic-team/trapeze#200)
- [npm-watch 0.12.0+ is required for nodemon
  3.0.0+](https://github.com/M-Zuber/npm-watch/releases/tag/v0.12.0)
- [nodemon 3.0.0+ is required for simple-update-notifier
  2.0.0+](https://github.com/remy/nodemon/releases/tag/v3.0.0)
- [simple-update-notifier 2.0.0+ is required for the patched semver
  7.5.3+](https://github.com/alexbrazier/simple-update-notifier/releases/tag/v2.0.0)

While we await an upstream fix in @capacitor/assets and
@trapezedev/project, we can override the dependency. The tests all pass
with this change, and the web server seems to run fine locally. That
said, it looks like Capacitor is used for the Android and iOS versions
of the app, and I haven't got those running locally (the `npm run
ios-live-reload` and `npm run android-live-reload` fail on both `main`
and this branch for various reasons)
yndajas added a commit to yndajas/hakubun that referenced this issue Jul 10, 2024
@yndajas
Update moderately vulnerable dev dependency
6c2e641 
This shouldn't be too big of a deal, since it's just a dev dependency
and it's of moderate vulnerability, not high, but I thought I might as
well after fixing the high severity vulnerabilities

[semver versions 7.0.0-7.5.2 are
vulnerable](GHSA-c2qf-rxjj-qqgw)

- Dev dependency @capacitor/assets 3.0.4 relies on @trapezedev/project
  7.0.10
- [@trapezedev/project 7.0.10 relies on npm-watch
  ^0.9.0](https://github.com/ionic-team/trapeze/blob/main/packages/project/package.json),
  but it's not actually listed in the
  [lockfile](https://github.com/ionic-team/trapeze/blob/main/packages/project/package-lock.json).
  There's no more recent version of @trapezedev/project. [An issue has
  been raised](ionic-team/trapeze#200)
- [npm-watch 0.12.0+ is required for nodemon
  3.0.0+](https://github.com/M-Zuber/npm-watch/releases/tag/v0.12.0)
- [nodemon 3.0.0+ is required for simple-update-notifier
  2.0.0+](https://github.com/remy/nodemon/releases/tag/v3.0.0)
- [simple-update-notifier 2.0.0+ is required for the patched semver
  7.5.3+](https://github.com/alexbrazier/simple-update-notifier/releases/tag/v2.0.0)

While we await an upstream fix in @capacitor/assets and
@trapezedev/project, we can override the dependency. The tests all pass
with this change, and the web server seems to run fine locally. That
said, it looks like Capacitor is used for the Android and iOS versions
of the app, and I haven't got those running locally (the `npm run
ios-live-reload` and `npm run android-live-reload` fail on both `main`
and this branch for various reasons)
yndajas added a commit to yndajas/hakubun that referenced this issue Jul 10, 2024
@yndajas
Update moderately vulnerable dev dependency
d97dce1 
This shouldn't be too big of a deal, since it's just a dev dependency
and it's of moderate vulnerability, not high, but I thought I might as
well after fixing the high severity vulnerabilities

[semver versions 7.0.0-7.5.2 are
vulnerable](GHSA-c2qf-rxjj-qqgw)

- Dev dependency @capacitor/assets 3.0.4 relies on @trapezedev/project
  7.0.10
- [@trapezedev/project 7.0.10 relies on npm-watch
  ^0.9.0](https://github.com/ionic-team/trapeze/blob/main/packages/project/package.json),
  but it's not actually listed in the
  [lockfile](https://github.com/ionic-team/trapeze/blob/main/packages/project/package-lock.json).
  There's no more recent version of @trapezedev/project. [An issue has
  been raised](ionic-team/trapeze#200)
- [npm-watch 0.12.0+ is required for nodemon
  3.0.0+](https://github.com/M-Zuber/npm-watch/releases/tag/v0.12.0)
- [nodemon 3.0.0+ is required for simple-update-notifier
  2.0.0+](https://github.com/remy/nodemon/releases/tag/v3.0.0)
- [simple-update-notifier 2.0.0+ is required for the patched semver
  7.5.3+](https://github.com/alexbrazier/simple-update-notifier/releases/tag/v2.0.0)

While we await an upstream fix in @capacitor/assets and
@trapezedev/project, we can override the dependency. The tests all pass
with this change, and the web server seems to run fine locally. That
said, it looks like Capacitor is used for the Android and iOS versions
of the app, and I haven't got those running locally (the `npm run
ios-live-reload` and `npm run android-live-reload` fail on both `main`
and this branch for various reasons)
@chvonrohr
Copy link

GitLab detects this as high severity risk!

Versions of the package semver before 7.5.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

I really think you should upgrade or remove that package. If this isn't done after one year (even when receiving PRs, the project seems abandoned, which would be a sad for the whole Ionic community.

To still be compliant we overrule the dependency in the package.json like this:

"overrides": {
    "@trapezedev/configure": {
      "npm-watch": "0.13.0"
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@chvonrohr @miqmago @chacabuk @Ericlm