Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Yo should use esm #787

Open
Logicer16 opened this issue May 27, 2023 · 2 comments
Open

Yo should use esm #787

Logicer16 opened this issue May 27, 2023 · 2 comments

Comments

@Logicer16
Copy link
Contributor

Logicer16 commented May 27, 2023

Type of issue

Bug Report


My environment

  • OS version/details: macOS Monterey 12.6.7
  • Node version: v20.2.0 (run node --version in your terminal)
  • npm version: 9.6.6 (run npm --version in your terminal)
  • Version of yo : 4.3.1 (run yo --version in your terminal)

Expected behavior

yo has no vulnerable dependancies.

Current behavior

The following are vulnerable package versions from yo and its dependancies, yeoman/doctor and yeoman/insight:

meow: < v6.0.0
bin-version-check: < v5.0.0
got: < v12.0.0
npm-keyword: < v7.0.0
update-notifier: < v6.0.0
latest-version: < v6.0.0

However these packages are now all pure esm.
To allow for these dependancies to be updated, and thus for the vulnerabilities to be fixed, yo, yoeman/doctor, and yeoman/insight should switch to esm as well.

This has additionally caused problems with insight as os-name >= v5.0.0 is also pure esm, which resulted in insight being removed.

This has been an ongoing issue for the project. Related issues I've found include (17 total):

Each of these require this being implemented to be properly fixed.

Other yeoman packages have already made the switch to esm, including update-notifier, stringily-object, and configstore, with environment and generator soon to follow.

Steps to reproduce the behavior

npm audit

Command line output

Output
# npm audit report

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/got
node_modules/latest-version/node_modules/got
node_modules/npm-keyword/node_modules/got
node_modules/yeoman-doctor/node_modules/got
  npm-keyword  <=6.1.0
  Depends on vulnerable versions of got
  node_modules/npm-keyword
    yo  >=1.2.1
    Depends on vulnerable versions of got
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of npm-keyword
    Depends on vulnerable versions of update-notifier
    Depends on vulnerable versions of yeoman-doctor
    node_modules/yo
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/latest-version/node_modules/package-json
  node_modules/yeoman-doctor/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
    node_modules/yeoman-doctor/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
      yeoman-doctor  >=1.4.0
      Depends on vulnerable versions of bin-version-check
      Depends on vulnerable versions of latest-version
      node_modules/yeoman-doctor

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/cacheable-request/node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

semver-regex  <=3.1.3
Severity: high
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install yo@1.4.5, which is a breaking change
node_modules/yargs-parser

16 vulnerabilities (5 moderate, 11 high)
@IrrerPolterer
Copy link

Is there any progress towards fixinv the vulnerable dependencies? Trying to install yo at the moment fires a ton of vulnerability warnings. In this state yo is unusable for our purposes.

@mshima
Copy link
Member

mshima commented Oct 29, 2023

yeoman-generator, yeoman-environment and yeoman-test are ESM now.

Help is wanted to migrate yo to ESM.
In the mean time, yeoman-environment is been dynamic loaded to workaround requiring an ESM module.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants