Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yo should use esm #787

Open
Logicer16 opened this issue May 27, 2023 · 2 comments
Open

Yo should use esm #787

Logicer16 opened this issue May 27, 2023 · 2 comments

Comments

@Logicer16
Copy link
Contributor

Logicer16 commented May 27, 2023

Type of issue

Bug Report


My environment

  • OS version/details: macOS Monterey 12.6.7
  • Node version: v20.2.0 (run node --version in your terminal)
  • npm version: 9.6.6 (run npm --version in your terminal)
  • Version of yo : 4.3.1 (run yo --version in your terminal)

Expected behavior

yo has no vulnerable dependancies.

Current behavior

The following are vulnerable package versions from yo and its dependancies, yeoman/doctor and yeoman/insight:

meow: < v6.0.0
bin-version-check: < v5.0.0
got: < v12.0.0
npm-keyword: < v7.0.0
update-notifier: < v6.0.0
latest-version: < v6.0.0

However these packages are now all pure esm.
To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.

This has additionally caused problems with insight as os-name >= v5.0.0 is also pure esm, which resulted in insight being removed.

This has been an ongoing issue for the project. Related issues I've found include (17 total):

Each of these require this being implemented to be properly fixed.

Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.

Steps to reproduce the behavior

npm audit

Command line output

Output
# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
node_modules/latest-version/node_modules/got
node_modules/npm-keyword/node_modules/got
node_modules/yeoman-doctor/node_modules/got
  npm-keyword  <=6.1.0
  Depends on vulnerable versions of got
  node_modules/npm-keyword
    yo  >=1.2.1
    Depends on vulnerable versions of got
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-keyword
    Depends on vulnerable versions of update-notifier
    Depends on vulnerable versions of yeoman-doctor
    node_modules/yo
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/latest-version/node_modules/package-json
  node_modules/yeoman-doctor/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
    node_modules/yeoman-doctor/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
      yeoman-doctor  >=1.4.0
      Depends on vulnerable versions of bin-version-check
      Depends on vulnerable versions of latest-version
      node_modules/yeoman-doctor

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cacheable-request/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

semver-regex  <=3.1.3
Severity: high
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/yargs-parser

16 vulnerabilities (5 moderate, 11 high)
@IrrerPolterer
Copy link

Is there any progress towards fixinv the vulnerable dependencies? Trying to install yo at the moment fires a ton of vulnerability warnings. In this state yo is unusable for our purposes.

@mshima
Copy link
Member

mshima commented Oct 29, 2023

yeoman-generator, yeoman-environment and yeoman-test are ESM now.

Help is wanted to migrate yo to ESM.
In the mean time, yeoman-environment is been dynamic loaded to workaround requiring an ESM module.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants