Upgrade dependencies to reduce the amount of vulnerabilities

[surfmuggle]

Summary

Based on comments in pull request 518 you are likely already aware of this:

• 16 vulnerabilities (10 high, 6 critical)
• 6 packages are deprecated

If i remember correctly someone mentioned that release 8.0 must be finished before the switch to a newer version of node.js is possible. Since the current release is 8.12.7 is available i wonder if the issues above and below (see output) could be fixed?

Running npm audit fix did not change the number of vulnerabilities.

Steps to reproduce

Run

$ git clone https://github.com/trailheadapps/lwc-recipes-oss
$ cd lwc-recipes-oss/

Running npm install will produce this output

$ npm install
npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: '[email protected]',
npm warn EBADENGINE   required: { node: '18.x' },
npm warn EBADENGINE   current: { node: 'v20.11.1', npm: '10.7.0' }
npm warn EBADENGINE }
npm warn deprecated [email protected]: This package has been deprecated and is no longer maintained. Pllease use @rollup/plugin-inject.
npm warn deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScrript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-propertiesi instead.
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScrippt standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-dynamic-import insetead.
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMASScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-object-rest-speread instead.
npm warn deprecated @babel/[email protected]: This proposal has been merged to thhe ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-async-gnenerator-functions instead.
npm warn deprecated @koa/[email protected]: **IMPORTANT 10x+ PERFORMANCE UPGRADE**: Please upgrade to v12.0.1+ as wee have fixed an issue with debuglog causing 10x slower router benchmark performance, see https://github.com/koasjs/router/pull/173

> [email protected] postinstall
> husky install

install command is DEPRECATED

added 1542 packages, and audited 1543 packages in 4m

253 packages are looking for funding
  run `npm fund` for details

16 vulnerabilities (10 high, 6 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

npm audit Results

Running npm audit produces this report

$ npm audit         
# npm audit report

dompurify  3.0.0 - 3.1.2
Severity: high
DOMPurify allows tampering by prototype pollution - https://github.com/advisories/GHSA-mmhx-hmjr-r674
DOMpurify has a nesting-based mXSS - https://github.com/advisories/GHSA-gx9m-whjm-85jf
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dompurify
  @locker/html-sanitizer  0.19.4 - 0.22.8
  Depends on vulnerable versions of dompurify
  node_modules/@locker/html-sanitizer
    @locker/distortion  0.19.4 - 0.22.8
    Depends on vulnerable versions of @locker/html-sanitizer
    Depends on vulnerable versions of @locker/internal-policy
    node_modules/@locker/distortion
      @locker/sandbox  <=0.10.4-test.7 || 0.19.4 - 0.22.8
      Depends on vulnerable versions of @locker/distortion
      Depends on vulnerable versions of @locker/html-sanitizer
      node_modules/@locker/sandbox
        @lwrjs/client-modules  0.9.9-alpha.8 - 0.15.0-alpha.46 || 0.15.4-alpha.0
        Depends on vulnerable versions of @locker/sandbox
        node_modules/@lwrjs/client-modules
          @lwrjs/core  0.0.2-alpha.9 - 0.0.2-alpha31 || >=0.9.9-alpha.8
          Depends on vulnerable versions of @lwrjs/client-modules
          Depends on vulnerable versions of @lwrjs/loader
          Depends on vulnerable versions of @lwrjs/o11y
          Depends on vulnerable versions of @lwrjs/router
          node_modules/@lwrjs/core
            @lwrjs/tools  >=0.11.0-alpha.0
            Depends on vulnerable versions of @lwrjs/core
            node_modules/@lwrjs/tools
            lwr  >=0.11.0-alpha.0
            Depends on vulnerable versions of @lwrjs/core
            Depends on vulnerable versions of @lwrjs/dev-proxy-server
            Depends on vulnerable versions of @lwrjs/tools
            node_modules/lwr
          @lwrjs/loader  0.9.9-alpha.8 - 0.15.0-alpha.46 || 0.15.4-alpha.0
          Depends on vulnerable versions of @lwrjs/client-modules
          node_modules/@lwrjs/loader
          @lwrjs/router  0.9.9-alpha.8 - 0.15.0-alpha.46 || 0.15.4-alpha.0
          Depends on vulnerable versions of @lwrjs/client-modules
          node_modules/@lwrjs/router
    @locker/internal-policy  <=0.22.8
    Depends on vulnerable versions of @locker/html-sanitizer
    node_modules/@locker/internal-policy

http-proxy-middleware  <2.0.7
Severity: high
Denial of service in http-proxy-middleware - https://github.com/advisories/GHSA-c7qv-q95q-8v27
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/http-proxy-middleware
  @lwrjs/dev-proxy-server  <=0.15.0-alpha.46
  Depends on vulnerable versions of http-proxy-middleware
  node_modules/@lwrjs/dev-proxy-server

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/o11y/node_modules/protobufjs
  o11y  >=246.4.0
  Depends on vulnerable versions of protobufjs
  node_modules/o11y
    @lwrjs/o11y  >=0.11.0-alpha.0
    Depends on vulnerable versions of o11y
    node_modules/@lwrjs/o11y

16 vulnerabilities (10 high, 6 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Steps To Reproduce

1. Run git clone https://github.com/trailheadapps/lwc-recipes-oss on a command prompet (for me on windows 10)
2. Then cd lwc-recipes-oss/
3. and then run npm install

Current Behavior

• 16 vulnerabilities (10 high, 6 critical)
• 6 packages are deprecated

Expected Behavior

• 0 vulnerabilities (0 high, 0 critical)

Relevant Log Output

Code of Conduct

• I agree to follow this project's Code of Conduct

[github-actions]

Thank you for posting this issue. 🙇🏼‍♂️
We will come back to you shortly.

[pozil]

Thanks for reporting this. I migrated the project to node@20 and updated dependencies to reduce the vulnerabilities. It's not perfect but it's the best I can do for now.