The starterkit theme NPM dependencies contain many security vulnerabilities

I take full responsibility of solving this issue

@Arshu1864: As the new module maintainer, I'm OK with having others work on the outstanding issues, but I need to know when you expect to resolve this specific issue by?

I'm fixing the issue and will hopefully be resolved by end of this week

I have fixed the issue and tested it now it is working fine. There is on npm audit there is showing found 0 vulnerabilities. I am attaching patch alongside with it please check.

Thanks.

I can't test it as I don't know which release you were working from? The hash doesn't match 8.x-1.15 (4de9cd3). Which release is the patch for?

curl https://www.drupal.org/files/issues/2023-04-13/npm-dependencies-3353211-%236.patch | git apply -v --index
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1132k  100 1132k    0     0  3342k      0 --:--:-- --:--:-- --:--:-- 3342k
Checking patch starterkit/package-lock.json...
error: starterkit/package-lock.json: does not match index
Checking patch starterkit/package.json...
error: starterkit/package.json: does not match index

I have cloned from the 8.x-1.x branch and my npm version is 9.6.4 and node version is v16.19.1

OK, but what is the hash or the commit message of the commit that you cloned? When I am cloning from the commit tagged with the latest release (8.x-1.15), hash 4de9cd3, your patch doesn't work.

Sorry the while creating patch file the # got added I had renamed the file and added along with this comment

Thanks but that still doesn't work:

$ curl https://www.drupal.org/files/issues/2023-04-13/npm-dependencies-3353211-6.patch | git apply -v --index
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1132k  100 1132k    0     0   176k      0  0:00:06  0:00:06 --:--:--  276k
Checking patch starterkit/package-lock.json...
error: starterkit/package-lock.json: does not match index
Checking patch starterkit/package.json...
error: starterkit/package.json: does not match index

Again, which commit (give me the commit message, date/time, hash, or link to it) does your patch work against? The commit log is here.

https://git.drupalcode.org/project/cog/-/merge_requests/2
This is the merge request I have created please check

For what it's worth the patch in #10 applies for me to ca8975e9 on the tip of what code is in gitlab:

greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git status
On branch 8.x-1.x
Your branch is up to date with 'origin/8.x-1.x'.

nothing to commit, working tree clean
greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git log | head
commit ca8975e981f8c2c277e524966330685e15743fb7
Author: Dave Nattriss <dave@natts.com>
Date:   Wed Apr 12 05:19:18 2023 +0100

    Updated deprecated spaceless usage in toolbar.html.twig, as per:
    https://www.drupal.org/project/cog/issues/3261882

commit 4de9cd30ba0a26b90e4443623461fa9835888ab9
Merge: a80b097 4cf4b08
Author: Aaron Ellison <aaron.ellison@acquia.com>
greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> curl -O https://www.drupal.org/files/issues/2023-04-13/npm-dependencies-3353211-6.patch
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1132k  100 1132k    0     0  2278k      0 --:--:-- --:--:-- --:--:-- 2307k
greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git apply --index < npm-dependencies-3353211-6.patch
greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git status
On branch 8.x-1.x
Your branch is up to date with 'origin/8.x-1.x'.

Changes to be committed:
  (use "git restore --staged <file>..." to unstage)
	modified:   starterkit/package-lock.json
	modified:   starterkit/package.json

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	npm-dependencies-3353211-6.patch

greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)>

I do think the merge request is better to have, though, thanks for making that.

Do all the features of the theme work with these latest udpates? I'm surprised there wasn't any change required beyond the package files.

I've now been able to get the patch working, after starting with a fresh checkout on the 8.x-1.x branch (sorry about that). Running 'npm audit' confirms all vulnerabilities have been addressed.

However, I don't know what theme functionality this could affect or break. Does anyone have experience with travis? There are some tests available in the project.

Most of the NPM packages updated are related to linting tools and build tools. If all the tools and NPM commands work after the upgrade, it should be good to go. There are three different commands for gulp which should be tested that they still work.

The travis tests seem to just run the NPM commands to make sure that they are working:

npm install -g gulp-cli
npm install -g npm@latest
npm run install-tools

gulp

Marking as Needs work because of the above comment.

OK, so is anyone reading this able to help with that? I really don't have the experience with Gulp or Webpack etc., but am happy to approve merge requests to get this theme marked safe again.

@natts We will investigate in Exove if we can help out.