Are security fixes safe to automate?
Pacharapol Withayasakpunt
Posted on March 18, 2020
Recently, I received a lot of warnings about these on GitHub security, that npm audit cannot even detect yet. And, GitHub cannot automate the fixes either.
"acorn": ">=5.7.4",
"minimist": ">=1.2.2"
After looking up, and also realize that Yarn has selective dependency resolutions, I realize that I can do this on NPM as well.
"resolutions": {
"acorn": ">=5.7.4",
"minimist": ">=1.2.2"
}
rm -rf node_modules
npx npm-force-resolutions && npm i
But still, It stops me from using Pug.js in Vue. So, I decided to not fix Acorn...
├─┬ @vue/cli-plugin-babel@4.2.3
│ └─┬ webpack@4.42.0
│ └── acorn@6.4.1
├─┬ @vue/cli-service@4.2.3
│ ├── acorn@7.1.1
│ └─┬ webpack-bundle-analyzer@3.6.1
│ └── acorn@7.1.1
└─┬ vue-cli-plugin-pug@1.0.7
└─┬ pug@2.0.4
├─┬ pug-code-gen@2.0.2
│ └─┬ with@5.1.1
│ ├── acorn@3.3.0
│ └─┬ acorn-globals@3.1.0
│ └── acorn@4.0.13
└─┬ pug-lexer@4.1.0
└─┬ is-expression@3.0.0
└── acorn@4.0.13
Not sure if this is safe. After some reviews, it seems that this is totally Pug.js's fault. Not that I have alternatives (clean syntax without need for explicit closing tags.)
I did hear a lot that npm audit fix leads to broken dependencies... Also, is Node.js / NPM a security hell?
💖 💪 🙅 🚩
Pacharapol Withayasakpunt
Posted on March 18, 2020
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.