found 1 moderate severity vulnerability? (npm install > audit)

Question

found 1 moderate severity vulnerability? (npm install > audit)

wibrt opened this issue 5 years ago · 3 comments

npm install

After running
$ npm install -G create-elm-app
i get the output:

..
+ create-elm-app@4.2.8
added 1299 packages from 773 contributors and audited 15279 packages in 80.205s
..
found 1 moderate severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit manually does not work

npm ERR! code EAUDITNOPJSON
npm ERR! audit No package.json found: Cannot audit a project without a package.json

Versions

node -v: v10.15.2
npm -v: 4.14.3
npm ls create-elm-app -g (if you haven’t ejected):
/usr/local/lib
└── (empty)

Then, specify:

Operating system: Debian GNU/Linux 10 (buster)

Steps to Reproduce

npm install -G create-elm-app

Answer 1 · 2020-05-10T21:54:56.000Z

Hi @wibrt!

Thanks for raising awareness! 👍
The vulnerability is originated in https://github.com/webpack-contrib/uglifyjs-webpack-plugin, which is currently providing a better minimization rate for JS produced by Elm.

We can definitely fix this by switching to a well-maintained https://github.com/webpack-contrib/terser-webpack-plugin, which would slightly increase the asset size.

Are you interested in working on a fix for this?

Answer 2 · 2020-05-11T12:33:40.000Z

unfortunately no dev background with (create-)elm(-app) nor time at the moment

Answer 3 · 2020-05-11T19:03:52.000Z

No worries!

I will see how this can be solved. 🙌