Dependencies are outdated and there are vulnerabilities #3709
Description
You want to:
- report a bug
request a feature
Current behaviour
npm outdated reports many dependencies as out of date:
C:\ws\socketio>npm outdated
Package Current Wanted Latest Location
@types/mocha 8.0.3 8.0.4 8.0.4 socket.io
@types/node 14.14.7 14.14.10 14.14.10 socket.io
debug 4.1.1 4.1.1 4.3.1 socket.io
engine.io 4.0.1 4.0.4 4.0.4 socket.io
eslint 7.12.1 7.14.0 7.14.0 socket.io
mocha 3.5.3 3.5.3 8.2.1 socket.io
prettier 1.19.1 1.19.1 2.2.0 socket.io
socket.io-parser 4.0.1 4.0.2 4.0.2 socket.io
superagent 3.8.3 3.8.3 6.1.0 socket.io
supertest 3.4.2 3.4.2 6.0.1 socket.io
typescript 4.0.5 4.1.2 4.1.2 socket.ioAlso, after each install, npm reports vulnerabilities:
audited 325 packages in 1.704s
20 packages are looking for funding
run `npm fund` for details
found 3 vulnerabilities (2 low, 1 critical)Steps to reproduce (if the current behaviour is a bug)
- Git clone this repo
npm install(observe reported vulnerabilities)npm outdated(observe report of many outdated dependencies)
Expected behaviour
Dependencies should be up to date and no vulnerabilities should be reported
Setup
- OS: Windows, but not relevant
- browser: n/a
- socket.io version: master
Other information (e.g. stacktraces, related issues, suggestions how to fix)
I created a PR that updates all dependencies except for 2:
- @types/mocha 8.0.3 ==> 8.0.4
- @types/node 14.14.7 ==> 14.14.10
- debug 4.1.1 ==> 4.3.1
- engine.io 4.0.1 ==> 4.0.4
- eslint 7.12.1 ==> 7.14.0
- mocha #3710 3.5.3 =X> 8.2.1
- prettier #3712 1.19.1 =X> 2.2.0
- socket.io-parser 4.0.1 ==> 4.0.2
- superagent 3.8.3 ==>6.1.0
- supertest 3.4.2 ==> 6.0.1
- typescript 4.0.5 ==> 4.1.2
Mocha, when I update it and then run the tests, gives me test failures. So I left that out and created a separate issue for that:
Tests fail with latest version of Mocha #3710
Prettier it seems had a change of some default rules or something. When I update it to the latest version, it marks many files as invalid. When I run npm run format:fix, it makes the needed changes and it affects a bunch of files. The changes seem to revolve around braces or not around a single parameter of an arrow function and whether to use a comma after the last item in an array. I will create a separate issue and PR for updating Prettier, because maybe you don't agree with the defaults changing.
Updating Prettier causes many files to become invalid #3712
About the vulnerabilities
They are only in the development dependencies, so this is mostly a theoretical issue. But it would be great to fix them of course. I found out that they are coming in via mocha and that they are fixed in the latest version of mocha. However as said above I had trouble updating mocha so maybe one of the more seasoned socket.io devs can have a look at that.
C:\ws\socketio>npm audit
=== npm audit security report ===
# Run npm install --save-dev mocha@8.2.1 to resolve 3 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Critical Command Injection
Package growl
Dependency of mocha [dev]
Path mocha > growl
More info https://npmjs.com/advisories/146
Low Regular Expression Denial of Service
Package debug
Dependency of mocha [dev]
Path mocha > debug
More info https://npmjs.com/advisories/534
Low Prototype Pollution
Package minimist
Dependency of mocha [dev]
Path mocha > mkdirp > minimist
More info https://npmjs.com/advisories/1179
found 3 vulnerabilities (2 low, 1 critical) in 327 scanned packages
3 vulnerabilities require semver-major dependency updates.