Impossible to update braces to ^3.0.3
Closed this issue · 5 comments
Describe the bug
On my local machine
After running npm audit
and npm audit fix
I get the warning:
1 high severity vulnerability
To address all issues, run:
npm audit fix
Run `npm audit` for details.
quasi@quasiBlip astro-ananda % npm audit
# npm audit report
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/braces
1 high severity vulnerability
To address all issues, run:
npm audit fix
When checking the braces package in node_modules/netlify-cli/node_modules/
, I see it's version's 3.0.2
On GitHub
Also trying to solve the issue through Dependabot throws an error:
Dependabot encountered an unknown error
Steps to reproduce
- In the netlify UI, I've created an Astro site with the astro-netlify-platform-starter
- Installed the netlify-cli on my local machine by running
npm install netlify-cli --save-dev
- Linked my local project to the Astro site on Netlify, to an empty repo on Github, and linked the Netlify site to the repo.
- Updated my local installation through
npm update
- I get the above mentioned error.
Configuration
[[redirects]]
from = "/es/*"
to = "/es/404.html"
status = 404
[[redirects]]
from = "/*"
to = "/404.html"
status = 404
Environment
Had to use npx node_modules/netlify-cli/node_modules/envinfo --system --binaries --npmPackages netlify-cli --npmGlobalPackages netlify-cli
System:
OS: macOS 14.5
CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
Memory: 809.07 MB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 21.5.0 - /usr/local/bin/node
Yarn: 1.22.22 - /usr/local/bin/yarn
npm: 10.2.4 - /usr/local/bin/npm
pnpm: 9.0.6 - /usr/local/bin/pnpm
npmPackages:
netlify-cli: ^17.29.0 => 17.30.0
Here's the content of the package.json:
{
"name": "astro-netlify-platform-starter",
"type": "module",
"version": "0.1.0",
"scripts": {
"dev": "astro dev",
"start": "astro dev",
"build": "astro build",
"preview": "astro preview",
"astro": "astro"
},
"dependencies": {
"@astrojs/netlify": "^5.2.0",
"@astrojs/partytown": "^2.1.1",
"@astrojs/react": "^3.3.0",
"@astrojs/sitemap": "^3.1.6",
"@astrojs/tailwind": "^5.1.0",
"@fontsource-variable/montserrat": "^5.0.19",
"@fontsource/inter": "^5.0.18",
"@netlify/blobs": "^7.3.0",
"@netlify/functions": "^2.8.0",
"@types/react": "^18.2.79",
"@types/react-dom": "^18.2.25",
"aos": "^2.3.4",
"astro": "^4.6.2",
"astro-favicons": "^2.0.2",
"blobshape": "^1.0.0",
"marked": "^13.0.0",
"marked-shiki": "^1.1.0",
"netlify-cli": "^17.29.0",
"node-html-parser": "^6.1.13",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"sass": "^1.77.6",
"swiper": "^11.1.4",
"tailwindcss": "^3.4.3",
"unique-names-generator": "^4.7.1"
},
"devDependencies": {
"@types/blobshape": "^1.0.3",
"@types/node": "^20.12.7",
"daisyui": "^4.10.2"
}
}
cc @sarahetter
I have the same issue.
I tried removing the CLI including manually removing Netlify CLI from modules and package.json to reinstall and the problem just comes back.
@DavidWaters-AP it's because Netlify use npm-shrinkwrap.json
so it locks every dependency in its entire tree, which npm does not allow you to ignore so we're reliant on Netlify to keep their dependencies up to date
Closing as resolved for braces (has been updated) and as duplicate topic for #6731