found 1 moderate severity vulnerability? (npm install > audit)

Question

found 1 moderate severity vulnerability? (npm install > audit)

wibrt opened this issue 4 years ago · comments

npm install

After running
$ npm install -G create-elm-app
i get the output:

..
+ create-elm-app@4.2.8
added 1299 packages from 773 contributors and audited 15279 packages in 80.205s
..
found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit manually does not work

npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json

Versions

node -v: v10.15.2
npm -v: 4.14.3
npm ls create-elm-app -g (if you haven’t ejected):
/usr/local/lib
└── (empty)

Then, specify:

Operating system: Debian GNU/Linux 10 (buster)

Steps to Reproduce

npm install -G create-elm-app

Eduard Kyvenko · Answer 1 · Mon May 11 2020 05:54:56 GMT+0800 (China Standard Time)

Hi @wibrt!

Thanks for raising awareness! 👍
The vulnerability is originated in https://github.com/webpack-contrib/uglifyjs-webpack-plugin, which is currently providing a better minimization rate for JS produced by Elm.

We can definitely fix this by switching to a well-maintained https://github.com/webpack-contrib/terser-webpack-plugin, which would slightly increase the asset size.

Are you interested in working on a fix for this?

wibrt · Answer 2 · Mon May 11 2020 20:33:40 GMT+0800 (China Standard Time)

unfortunately no dev background with (create-)elm(-app) nor time at the moment

Eduard Kyvenko · Answer 3 · Tue May 12 2020 03:03:52 GMT+0800 (China Standard Time)

No worries!

I will see how this can be solved. 🙌