The starterkit theme NPM dependencies contain many security vulnerabilities

Created on 10 April 2023, over 1 year ago
Updated 8 September 2023, over 1 year ago

Problem/Motivation

# npm audit report

acorn  5.5.0 - 5.7.3
Severity: high
Regular Expression Denial of Service in Acorn - https://github.com/advisories/GHSA-6chw-6frg-f759
fix available via `npm audit fix --force`
Will install eslint@8.38.0, which is a breaking change
node_modules/acorn
  @gulp-sourcemaps/identity-map  
  Depends on vulnerable versions of acorn
  node_modules/@gulp-sourcemaps/identity-map
  espree  
  Depends on vulnerable versions of acorn
  node_modules/espree
    eslint  0.7.1 - 7.14.0
    Depends on vulnerable versions of ajv
    Depends on vulnerable versions of espree
    Depends on vulnerable versions of file-entry-cache
    Depends on vulnerable versions of inquirer
    Depends on vulnerable versions of is-my-json-valid
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of minimatch
    Depends on vulnerable versions of mkdirp
    Depends on vulnerable versions of shelljs
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of table
    node_modules/eslint
    node_modules/sass-lint/node_modules/eslint
      gulp-eslint  2.0.0-rc-1 - 2.0.0-rc-3
      Depends on vulnerable versions of eslint
      node_modules/gulp-eslint
  gulp-sourcemaps  
  Depends on vulnerable versions of acorn
  node_modules/gulp-sourcemaps

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install eslint@8.38.0, which is a breaking change
node_modules/ajv
node_modules/har-validator/node_modules/ajv
node_modules/sass-lint/node_modules/ajv
node_modules/stylelint-no-browser-hacks/node_modules/ajv
  har-validator  3.3.0 - 5.1.0
  Depends on vulnerable versions of ajv
  node_modules/har-validator
  table  1.0.0 - 3.7.4 || 3.7.10 - 5.2.2
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of string-width
  node_modules/sass-lint/node_modules/table
  node_modules/stylelint-no-browser-hacks/node_modules/table
  node_modules/table
    stylelint  >=0.1.0
    Depends on vulnerable versions of autoprefixer
    Depends on vulnerable versions of file-entry-cache
    Depends on vulnerable versions of global-modules
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of meow
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-html
    Depends on vulnerable versions of postcss-less
    Depends on vulnerable versions of postcss-markdown
    Depends on vulnerable versions of postcss-reporter
    Depends on vulnerable versions of postcss-safe-parser
    Depends on vulnerable versions of postcss-sass
    Depends on vulnerable versions of postcss-scss
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of sugarss
    Depends on vulnerable versions of table
    node_modules/stylelint
    node_modules/stylelint-config-get-off-my-lawn/node_modules/stylelint
    node_modules/stylelint-no-browser-hacks/node_modules/stylelint

ansi-regex  3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install eslint@8.38.0, which is a breaking change
node_modules/eslint/node_modules/ansi-regex
node_modules/gulp-stylelint/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/kss/node_modules/ansi-regex
node_modules/sass-lint/node_modules/table/node_modules/ansi-regex
node_modules/stylelint-config-get-off-my-lawn/node_modules/ansi-regex
node_modules/stylelint-no-browser-hacks/node_modules/ansi-regex
node_modules/stylelint/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
  strip-ansi  
  Depends on vulnerable versions of ansi-regex
  node_modules/eslint/node_modules/strip-ansi
  node_modules/gulp-stylelint/node_modules/strip-ansi
  node_modules/inquirer/node_modules/strip-ansi
  node_modules/kss/node_modules/strip-ansi
  node_modules/sass-lint/node_modules/table/node_modules/strip-ansi
  node_modules/stylelint-config-get-off-my-lawn/node_modules/string-width/node_modules/strip-ansi
  node_modules/stylelint/node_modules/strip-ansi
  node_modules/table/node_modules/strip-ansi
    cliui  4.0.0 - 4.1.0
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/kss/node_modules/cliui
      yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1 || 8.0.0-candidate.0 - 13.2.2
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of y18n
      Depends on vulnerable versions of yargs-parser
      Depends on vulnerable versions of yargs-parser
      node_modules/kss/node_modules/yargs
      node_modules/localtunnel/node_modules/yargs
      node_modules/nunjucks/node_modules/yargs
      node_modules/sass-graph/node_modules/yargs
      node_modules/yargs
        browser-sync  *
        Depends on vulnerable versions of browser-sync-ui
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of connect
        Depends on vulnerable versions of easy-extender
        Depends on vulnerable versions of eazy-logger
        Depends on vulnerable versions of http-proxy
        Depends on vulnerable versions of localtunnel
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of qs
        Depends on vulnerable versions of resp-modifier
        Depends on vulnerable versions of serve-index
        Depends on vulnerable versions of socket.io
        Depends on vulnerable versions of ua-parser-js
        Depends on vulnerable versions of yargs
        node_modules/browser-sync
        localtunnel  0.2.0 - 1.9.2
        Depends on vulnerable versions of axios
        Depends on vulnerable versions of debug
        Depends on vulnerable versions of yargs
        node_modules/localtunnel
        nunjucks  1.0.2 - 1.0.3 || 2.0.0 - 3.2.0
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of yargs
        node_modules/nunjucks
    gulp-stylelint  3.8.0 - 8.0.0
    Depends on vulnerable versions of gulp-util
    Depends on vulnerable versions of mkdirp
    Depends on vulnerable versions of strip-ansi
    node_modules/gulp-stylelint
    inquirer  <=0.11.4 || 3.2.0 - 6.5.2
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
    node_modules/sass-lint/node_modules/inquirer
    string-width  2.1.0 - 2.1.1
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer/node_modules/string-width
    node_modules/kss/node_modules/string-width
    node_modules/sass-lint/node_modules/table/node_modules/string-width
    node_modules/stylelint-config-get-off-my-lawn/node_modules/string-width
    node_modules/stylelint/node_modules/string-width
    node_modules/table/node_modules/string-width

axios  <=0.21.1
Severity: high
Denial of Service in axios - https://github.com/advisories/GHSA-42xw-2xvc-qx8m
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/axios

braces  <=2.3.0
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx
fix available via `npm audit fix --force`
Will install gulp-watch@4.0.1, which is a breaking change
node_modules/braces
  micromatch  0.2.0 - 2.3.11 || 3.1.6 - 3.1.10
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of define-property
  Depends on vulnerable versions of kind-of
  Depends on vulnerable versions of parse-glob
  Depends on vulnerable versions of to-regex
  node_modules/fast-glob/node_modules/micromatch
  node_modules/findup-sync/node_modules/micromatch
  node_modules/gulp-load-plugins/node_modules/micromatch
  node_modules/micromatch
  node_modules/nunjucks/node_modules/micromatch
  node_modules/readdirp/node_modules/micromatch
  node_modules/stylelint-no-browser-hacks/node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      chokidar  1.0.0-rc1 - 2.1.8
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of glob-parent
      Depends on vulnerable versions of readdirp
      node_modules/chokidar
      node_modules/nunjucks/node_modules/chokidar
        gulp-watch  >=4.0.0
        Depends on vulnerable versions of anymatch
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of glob-parent
        node_modules/gulp-watch
    fast-glob  <=2.2.7
    Depends on vulnerable versions of glob-parent
    Depends on vulnerable versions of micromatch
    node_modules/fast-glob
      globby  8.0.0 - 9.2.0
      Depends on vulnerable versions of fast-glob
      node_modules/stylelint-no-browser-hacks/node_modules/globby
    gulp-load-plugins  1.6.0
    Depends on vulnerable versions of micromatch
    node_modules/gulp-load-plugins
    readdirp  2.2.0 - 2.2.1
    Depends on vulnerable versions of micromatch
    node_modules/readdirp

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix --force`
Will install gulp-autoprefixer@8.0.0, which is a breaking change
node_modules/stylelint-no-browser-hacks/node_modules/browserslist
  autoprefixer  1.0.20131222 - 8.6.5
  Depends on vulnerable versions of browserslist
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
  node_modules/stylelint-no-browser-hacks/node_modules/autoprefixer
    gulp-autoprefixer  0.0.3 - 0.0.10 || 2.2.0 - 5.0.0
    Depends on vulnerable versions of autoprefixer
    Depends on vulnerable versions of postcss
    node_modules/gulp-autoprefixer

debug  <=2.6.8
Severity: high
debug Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-9vvw-cc9w-f27h
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
Depends on vulnerable versions of ms
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/connect/node_modules/debug
node_modules/finalhandler/node_modules/debug
node_modules/localtunnel/node_modules/debug
node_modules/serve-index/node_modules/debug
  connect  2.11.1 - 3.6.4
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of finalhandler
  node_modules/connect
  finalhandler  <=1.0.5
  Depends on vulnerable versions of debug
  node_modules/finalhandler
  serve-index  1.2.0 - 1.9.0
  Depends on vulnerable versions of debug
  node_modules/serve-index

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
  source-map-resolve  
  Depends on vulnerable versions of decode-uri-component
  node_modules/source-map-resolve

dot-prop  <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix`
node_modules/dot-prop
  postcss-selector-parser  
  Depends on vulnerable versions of dot-prop
  node_modules/postcss-selector-parser

engine.io  <=3.6.0
Severity: high
Resource exhaustion in engine.io - https://github.com/advisories/GHSA-j4f2-536g-r55m
Uncaught exception in engine.io - https://github.com/advisories/GHSA-r7qp-cfhv-p84w
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/engine.io
  socket.io  <=2.4.1
  Depends on vulnerable versions of engine.io
  Depends on vulnerable versions of socket.io-client
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io

follow-redirects  <=1.14.7
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/follow-redirects

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp-watch@4.0.1, which is a breaking change
node_modules/fast-glob/node_modules/glob-parent
node_modules/glob-parent
node_modules/gulp-watch/node_modules/glob-parent
node_modules/nunjucks/node_modules/glob-parent
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob

handlebars  <=4.7.6
Severity: critical
Arbitrary Code Execution in handlebars - https://github.com/advisories/GHSA-q2c6-c6pm-g3gh
Prototype Pollution in handlebars - https://github.com/advisories/GHSA-g9r4-xpmj-mj65
Arbitrary Code Execution in handlebars - https://github.com/advisories/GHSA-2cf5-4w76-r9qv
Denial of Service in handlebars - https://github.com/advisories/GHSA-f52g-6jhx-586p
Remote code execution in handlebars when compiling templates - https://github.com/advisories/GHSA-f2jv-r9rf-7988
Prototype Pollution in handlebars - https://github.com/advisories/GHSA-765h-qjxv-5f44
Regular Expression Denial of Service in Handlebars - https://github.com/advisories/GHSA-62gr-4qp9-h98f
Arbitrary Code Execution in Handlebars - https://github.com/advisories/GHSA-3cqr-58rm-57f8
Prototype Pollution in handlebars - https://github.com/advisories/GHSA-w457-6q6x-cgp9
Depends on vulnerable versions of optimist
fix available via `npm audit fix`
node_modules/handlebars
  kss  <=2.1.0 || 2.2.0 - 3.0.1
  Depends on vulnerable versions of glob
  Depends on vulnerable versions of handlebars
  Depends on vulnerable versions of highlight.js
  Depends on vulnerable versions of markdown-it
  Depends on vulnerable versions of nunjucks
  Depends on vulnerable versions of resolve
  Depends on vulnerable versions of twig
  Depends on vulnerable versions of yargs
  node_modules/kss

highlight.js  <=10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
Prototype Pollution in highlight.js - https://github.com/advisories/GHSA-vfrc-7r7c-w9mx
fix available via `npm audit fix`
node_modules/highlight.js

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info
  normalize-package-data  
  Depends on vulnerable versions of hosted-git-info
  node_modules/normalize-package-data

http-proxy  <1.18.1
Severity: high
Denial of Service in http-proxy - https://github.com/advisories/GHSA-6x33-pw7p-hmpq
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/http-proxy

https-proxy-agent  <2.2.3
Severity: moderate
Machine-In-The-Middle in https-proxy-agent - https://github.com/advisories/GHSA-pc5p-h8pf-mvwp
No fix available
node_modules/https-proxy-agent
  puppeteer  
  Depends on vulnerable versions of extract-zip
  Depends on vulnerable versions of https-proxy-agent
  Depends on vulnerable versions of ws
  node_modules/puppeteer
    pa11y  5.3.1
    Depends on vulnerable versions of puppeteer
    node_modules/pa11y

ini  <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/fsevents/node_modules/ini
node_modules/ini
  rc  1.1.3 - 1.1.4 || 0.1.1 - 0.5.4
  Depends on vulnerable versions of ini
  Depends on vulnerable versions of minimist
  node_modules/fsevents/node_modules/rc

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix --force`
Will install node-sass@8.0.0, which is a breaking change
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim
    http-signature  
    Depends on vulnerable versions of jsprim
    node_modules/http-signature
      request  *
      Depends on vulnerable versions of http-signature
      Depends on vulnerable versions of qs
      node_modules/request
        node-gyp  <=7.1.2
        Depends on vulnerable versions of mkdirp
        Depends on vulnerable versions of request
        Depends on vulnerable versions of tar
        node_modules/node-gyp
          node-sass  1.2.3 - 7.0.3
          Depends on vulnerable versions of lodash
          Depends on vulnerable versions of meow
          Depends on vulnerable versions of mkdirp
          Depends on vulnerable versions of node-gyp
          Depends on vulnerable versions of request
          node_modules/node-sass
            gulp-sass  1.3.3 - 4.1.1
            Depends on vulnerable versions of node-sass
            node_modules/gulp-sass

json5  <=1.0.1 || 2.0.0 - 2.2.1
Severity: critical
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Depends on vulnerable versions of minimist
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/@babel/core/node_modules/json5
node_modules/json5
  @babel/core  
  Depends on vulnerable versions of json5
  Depends on vulnerable versions of lodash
  node_modules/@babel/core
  babel-core  <=7.0.0-beta.3
  Depends on vulnerable versions of babel-register
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of json5
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of minimatch
  node_modules/babel-core
    babel-register  *
    Depends on vulnerable versions of babel-core
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of mkdirp
    node_modules/babel-register

jsonpointer  <5.0.0
Severity: moderate
Prototype Pollution in node-jsonpointer - https://github.com/advisories/GHSA-282f-qqgm-c34q
fix available via `npm audit fix`
node_modules/jsonpointer
  is-my-json-valid  2.0.0 - 2.20.5
  Depends on vulnerable versions of jsonpointer
  node_modules/is-my-json-valid

kind-of  6.0.0 - 6.0.2
Severity: high
Validation Bypass in kind-of - https://github.com/advisories/GHSA-6c8f-qphg-qjgp
fix available via `npm audit fix --force`
Will install gulp-watch@4.0.1, which is a breaking change
node_modules/base/node_modules/kind-of
node_modules/define-property/node_modules/kind-of
node_modules/fast-glob/node_modules/kind-of
node_modules/findup-sync/node_modules/kind-of
node_modules/gulp-load-plugins/node_modules/kind-of
node_modules/make-iterator/node_modules/kind-of
node_modules/nanomatch/node_modules/kind-of
node_modules/nunjucks/node_modules/kind-of
node_modules/randomatic/node_modules/kind-of
node_modules/readdirp/node_modules/kind-of
node_modules/snapdragon-node/node_modules/kind-of
node_modules/stylelint-no-browser-hacks/node_modules/kind-of
  global-prefix  
  Depends on vulnerable versions of ini
  Depends on vulnerable versions of kind-of
  node_modules/stylelint-no-browser-hacks/node_modules/global-prefix
    global-modules  >=2.0.0
    Depends on vulnerable versions of global-prefix
    node_modules/stylelint-no-browser-hacks/node_modules/global-modules
  is-accessor-descriptor  
  Depends on vulnerable versions of kind-of
  node_modules/base/node_modules/is-accessor-descriptor
  node_modules/define-property/node_modules/is-accessor-descriptor
  node_modules/fast-glob/node_modules/is-accessor-descriptor
  node_modules/findup-sync/node_modules/is-accessor-descriptor
  node_modules/gulp-load-plugins/node_modules/is-accessor-descriptor
  node_modules/nunjucks/node_modules/is-accessor-descriptor
  node_modules/readdirp/node_modules/is-accessor-descriptor
  node_modules/snapdragon-node/node_modules/is-accessor-descriptor
  node_modules/stylelint-no-browser-hacks/node_modules/is-accessor-descriptor
  is-data-descriptor  
  Depends on vulnerable versions of kind-of
  node_modules/base/node_modules/is-data-descriptor
  node_modules/define-property/node_modules/is-data-descriptor
  node_modules/fast-glob/node_modules/is-data-descriptor
  node_modules/findup-sync/node_modules/is-data-descriptor
  node_modules/gulp-load-plugins/node_modules/is-data-descriptor
  node_modules/nunjucks/node_modules/is-data-descriptor
  node_modules/readdirp/node_modules/is-data-descriptor
  node_modules/snapdragon-node/node_modules/is-data-descriptor
  node_modules/stylelint-no-browser-hacks/node_modules/is-data-descriptor
    is-descriptor  1.0.2
    Depends on vulnerable versions of is-accessor-descriptor
    Depends on vulnerable versions of is-data-descriptor
    Depends on vulnerable versions of kind-of
    node_modules/base/node_modules/is-descriptor
    node_modules/define-property/node_modules/is-descriptor
    node_modules/fast-glob/node_modules/is-descriptor
    node_modules/findup-sync/node_modules/is-descriptor
    node_modules/gulp-load-plugins/node_modules/is-descriptor
    node_modules/nunjucks/node_modules/is-descriptor
    node_modules/readdirp/node_modules/is-descriptor
    node_modules/snapdragon-node/node_modules/is-descriptor
    node_modules/stylelint-no-browser-hacks/node_modules/is-descriptor
      define-property  >=2.0.1
      Depends on vulnerable versions of is-descriptor
      node_modules/define-property
        nanomatch  >=1.2.8
        Depends on vulnerable versions of define-property
        Depends on vulnerable versions of kind-of
        node_modules/nanomatch
        to-regex  >=3.0.2
        Depends on vulnerable versions of define-property
        node_modules/to-regex
  make-iterator  
  Depends on vulnerable versions of kind-of
  node_modules/make-iterator
  randomatic  
  Depends on vulnerable versions of kind-of
  node_modules/randomatic

locutus  <=2.0.14
Severity: critical
Prototype Pollution in locutus - https://github.com/advisories/GHSA-f98m-q3hr-p5wq
OS Command Injection in Locutus - https://github.com/advisories/GHSA-h86x-mv66-gr5q
Uncontrolled Resource Consumption in locutus - https://github.com/advisories/GHSA-39q4-p535-c852
fix available via `npm audit fix`
node_modules/locutus
  twig  0.4.0 - 0.8.8
  Depends on vulnerable versions of locutus
  Depends on vulnerable versions of minimatch
  node_modules/twig

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/easy-extender/node_modules/lodash
node_modules/globule/node_modules/lodash
node_modules/lodash
  @babel/generator  
  Depends on vulnerable versions of lodash
  node_modules/@babel/generator
  @babel/traverse  
  Depends on vulnerable versions of lodash
  node_modules/@babel/traverse
  @babel/types  
  Depends on vulnerable versions of lodash
  node_modules/@babel/types
  babel-generator  <=6.8.0 || 6.26.0 - 6.26.1
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of lodash
  node_modules/babel-generator
  babel-helper-define-map  <=6.8.0 || 6.26.0
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of lodash
  node_modules/babel-helper-define-map
  babel-helper-regex  <=6.8.0 || 6.26.0
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of lodash
  node_modules/babel-helper-regex
  babel-plugin-transform-es2015-block-scoping  <=6.8.0 || 6.26.0
  Depends on vulnerable versions of babel-template
  Depends on vulnerable versions of babel-traverse
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of lodash
  node_modules/babel-plugin-transform-es2015-block-scoping
  babel-template  <=6.8.0 || 6.26.0
  Depends on vulnerable versions of babel-traverse
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of lodash
  node_modules/babel-template
    babel-plugin-transform-es2015-modules-commonjs  6.26.0 - 6.26.2
    Depends on vulnerable versions of babel-template
    Depends on vulnerable versions of babel-types
    node_modules/babel-plugin-transform-es2015-modules-commonjs
  babel-traverse  <=6.8.0 || 6.26.0
  Depends on vulnerable versions of babel-types
  Depends on vulnerable versions of lodash
  node_modules/babel-traverse
  babel-types  <=6.8.1
  Depends on vulnerable versions of lodash
  node_modules/babel-types
  easy-extender  1.1.1 - 2.3.3
  Depends on vulnerable versions of lodash
  node_modules/easy-extender
  globule  <=1.1.0
  Depends on vulnerable versions of glob
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of minimatch
  node_modules/globule
  node_modules/node-sass/node_modules/globule
  node_modules/sass-lint/node_modules/globule
    gaze  0.4.0 - 1.0.0
    Depends on vulnerable versions of globule
    node_modules/gaze
    node_modules/node-sass/node_modules/gaze
      glob-watcher  <=2.0.0
      Depends on vulnerable versions of gaze
      node_modules/glob-watcher
  postcss-reporter  <=5.0.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of postcss
  node_modules/postcss-reporter
  node_modules/stylehacks/node_modules/postcss-reporter
  node_modules/stylelint-config-get-off-my-lawn/node_modules/postcss-reporter
  node_modules/stylelint-no-browser-hacks/node_modules/postcss-reporter
  postcss-sorting  <=3.1.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of postcss
  node_modules/postcss-sorting
    stylelint-order  <=0.8.1
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of postcss
    Depends on vulnerable versions of postcss-sorting
    node_modules/stylelint-config-get-off-my-lawn/node_modules/stylelint-order
    node_modules/stylelint-order
      stylelint-config-get-off-my-lawn  >=2.0.0
      Depends on vulnerable versions of stylelint
      Depends on vulnerable versions of stylelint-order
      Depends on vulnerable versions of stylelint-scss
      node_modules/stylelint-config-get-off-my-lawn
  sass-graph  <=2.0.1 || 2.2.0 - 4.0.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of scss-tokenizer
  node_modules/sass-graph
  stylelint-scss  
  Depends on vulnerable versions of lodash
  node_modules/stylelint-config-get-off-my-lawn/node_modules/stylelint-scss
  node_modules/stylelint-scss
  stylelint-selector-bem-pattern  <=0.2.0 || 0.2.3 - 1.0.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of postcss
  node_modules/stylelint-selector-bem-pattern

lodash.template  <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/lodash.template
  gulp-util  >=1.1.0
  Depends on vulnerable versions of lodash.template
  Depends on vulnerable versions of minimist
  node_modules/gulp-util

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix`
node_modules/markdown-it

merge  <2.1.1
Severity: high
Prototype Pollution in merge - https://github.com/advisories/GHSA-7wpw-2hjm-89gp
No fix available
node_modules/merge
  sass-lint  *
  Depends on vulnerable versions of gonzales-pe-sl
  Depends on vulnerable versions of merge
  node_modules/sass-lint
    gulp-sass-lint  *
    Depends on vulnerable versions of sass-lint
    node_modules/gulp-sass-lint

minimatch  <=3.0.4
Severity: high
Regular Expression Denial of Service in minimatch - https://github.com/advisories/GHSA-hxm2-r34f-qmc5
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/fsevents/node_modules/minimatch
node_modules/glob-stream/node_modules/minimatch
node_modules/globule/node_modules/minimatch
node_modules/minimatch
  eslint-plugin-import  
  Depends on vulnerable versions of minimatch
  node_modules/eslint-plugin-import
  glob  3.0.0 - 5.0.14
  Depends on vulnerable versions of minimatch
  node_modules/fsevents/node_modules/glob
  node_modules/glob
  node_modules/glob-stream/node_modules/glob
  node_modules/globule/node_modules/glob
    glob-stream  0.2.0 - 5.2.0
    Depends on vulnerable versions of glob
    Depends on vulnerable versions of minimatch
    node_modules/glob-stream
      vinyl-fs  <=1.0.0
      Depends on vulnerable versions of glob-stream
      Depends on vulnerable versions of glob-watcher
      Depends on vulnerable versions of mkdirp
      node_modules/vinyl-fs
  gulp-sass-glob  
  Depends on vulnerable versions of minimatch
  node_modules/gulp-sass-glob
  ignore-walk  
  Depends on vulnerable versions of minimatch
  node_modules/fsevents/node_modules/ignore-walk
  postcss-bem-linter  0.3.0 - 3.2.0
  Depends on vulnerable versions of minimatch
  Depends on vulnerable versions of postcss
  node_modules/postcss-bem-linter
  resp-modifier  1.0.0 - 6.0.1
  Depends on vulnerable versions of minimatch
  node_modules/resp-modifier

minimist  <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/@babel/core/node_modules/minimist
node_modules/fsevents/node_modules/minimist
node_modules/fsevents/node_modules/rc/node_modules/minimist
node_modules/gonzales-pe-sl/node_modules/minimist
node_modules/gulp-util/node_modules/minimist
node_modules/gulp/node_modules/minimist
node_modules/meow/node_modules/minimist
node_modules/minimist
node_modules/parker/node_modules/minimist
node_modules/postcss-sass/node_modules/minimist
node_modules/stylehacks/node_modules/minimist
node_modules/stylelint-config-get-off-my-lawn/node_modules/minimist
node_modules/stylelint-no-browser-hacks/node_modules/minimist
node_modules/stylelint/node_modules/minimist
  cosmiconfig  
  Depends on vulnerable versions of minimist
  node_modules/stylelint-config-get-off-my-lawn/node_modules/cosmiconfig
  gonzales-pe  3.0.0-1 - 4.2.4
  Depends on vulnerable versions of minimist
  node_modules/postcss-sass/node_modules/gonzales-pe
  node_modules/stylelint-no-browser-hacks/node_modules/gonzales-pe
    postcss-sass  <=0.3.2
    Depends on vulnerable versions of gonzales-pe
    Depends on vulnerable versions of postcss
    node_modules/postcss-sass
    node_modules/stylelint-no-browser-hacks/node_modules/postcss-sass
  gonzales-pe-sl  *
  Depends on vulnerable versions of minimist
  node_modules/gonzales-pe-sl
  gulp  
  Depends on vulnerable versions of minimist
  node_modules/gulp
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
  node_modules/stylelint-no-browser-hacks/node_modules/meow
  node_modules/stylelint/node_modules/meow
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/fsevents/node_modules/mkdirp
  node_modules/mkdirp
    extract-zip  <=1.6.7
    Depends on vulnerable versions of mkdirp
    node_modules/extract-zip
    fstream  
    Depends on vulnerable versions of mkdirp
    node_modules/fstream
      tar  <=4.4.17
      Depends on vulnerable versions of fstream
      Depends on vulnerable versions of mkdirp
      node_modules/fsevents/node_modules/tar
      node_modules/tar
        node-pre-gyp  0.5.12 - 0.6.25
        Depends on vulnerable versions of mkdirp
        Depends on vulnerable versions of tar
        node_modules/fsevents/node_modules/node-pre-gyp
    write  
    Depends on vulnerable versions of mkdirp
    node_modules/stylelint-no-browser-hacks/node_modules/write
    node_modules/write
      flat-cache  1.0.6 - 2.0.1
      Depends on vulnerable versions of write
      node_modules/flat-cache
      node_modules/stylelint-no-browser-hacks/node_modules/flat-cache
        file-entry-cache  1.2.3 - 5.0.1
        Depends on vulnerable versions of flat-cache
        node_modules/file-entry-cache
        node_modules/sass-lint/node_modules/file-entry-cache
        node_modules/stylelint-no-browser-hacks/node_modules/file-entry-cache
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
  parker  *
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of underscore
  node_modules/parker
    gulp-parker  *
    Depends on vulnerable versions of parker
    node_modules/gulp-parker
  stylehacks  <=4.0.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of postcss
  node_modules/stylehacks

ms  <2.0.0
Severity: moderate
Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/connect/node_modules/ms
node_modules/finalhandler/node_modules/ms
node_modules/serve-index/node_modules/ms


object-path  <=0.11.7
Severity: high
Prototype Pollution in object-path - https://github.com/advisories/GHSA-v39p-96qg-c8rf
Prototype pollution in object-path - https://github.com/advisories/GHSA-cwx2-736x-mf6w
Prototype Pollution in object-path - https://github.com/advisories/GHSA-8v63-cqqc-6r2c
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/object-path
  tfunk  1.0.0 - 3.1.0
  Depends on vulnerable versions of object-path
  node_modules/tfunk
    eazy-logger  <=3.0.2
    Depends on vulnerable versions of tfunk
    node_modules/eazy-logger

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse
  resolve  
  Depends on vulnerable versions of path-parse
  node_modules/resolve

postcss  <=7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
fix available via `npm audit fix --force`
Will install gulp-autoprefixer@8.0.0, which is a breaking change
node_modules/postcss
node_modules/postcss-bem-linter/node_modules/postcss
node_modules/postcss-less/node_modules/postcss
node_modules/stylehacks/node_modules/postcss
node_modules/stylelint-no-browser-hacks/node_modules/postcss
  postcss-less  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-less
  node_modules/stylelint-no-browser-hacks/node_modules/postcss-less
  postcss-safe-parser  <=3.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-safe-parser
  node_modules/stylelint-no-browser-hacks/node_modules/postcss-safe-parser
  postcss-scss  <=1.0.6
  Depends on vulnerable versions of postcss
  node_modules/postcss-scss
  node_modules/stylelint-no-browser-hacks/node_modules/postcss-scss
  sugarss  <=1.0.1
  Depends on vulnerable versions of postcss
  node_modules/stylelint-no-browser-hacks/node_modules/sugarss
  node_modules/sugarss

qs  <6.2.4 || >=6.5.0 <6.5.3
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install node-sass@8.0.0, which is a breaking change
node_modules/qs
node_modules/request/node_modules/qs


scss-tokenizer  <=0.4.2
Severity: high
Regular expression denial of service in scss-tokenizer - https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
fix available via `npm audit fix`
node_modules/scss-tokenizer

shelljs  <=0.8.4
Severity: high
Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-64g7-mvw6-v9qj
Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-4rq4-32rv-6wp6
fix available via `npm audit fix --force`
Will install eslint@8.38.0, which is a breaking change
node_modules/shelljs


socket.io-parser  <=3.3.2
Severity: critical
Resource exhaustion in socket.io-parser - https://github.com/advisories/GHSA-xfhh-g9f5-x4m4
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-qm95-pgcg-qqfq
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/socket.io-parser
  socket.io-client  1.0.0-pre - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
  Depends on vulnerable versions of engine.io-client
  Depends on vulnerable versions of socket.io-parser
  node_modules/socket.io-client
    browser-sync-ui  1.0.1
    Depends on vulnerable versions of socket.io-client
    node_modules/browser-sync-ui


trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix`
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/postcss-markdown/node_modules/remark-parse
  node_modules/remark-parse
    remark  5.0.0 - 12.0.1
    Depends on vulnerable versions of remark-parse
    node_modules/postcss-markdown/node_modules/remark
    node_modules/remark
      postcss-html  0.4.0 - 0.19.0
      Depends on vulnerable versions of remark
      node_modules/postcss-html
      postcss-markdown  <=0.36.0
      Depends on vulnerable versions of remark
      node_modules/postcss-markdown

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install node-sass@8.0.0, which is a breaking change
node_modules/stylelint-no-browser-hacks/node_modules/trim-newlines
node_modules/stylelint/node_modules/trim-newlines
node_modules/trim-newlines

ua-parser-js  <=0.7.32
Severity: high
ReDoS Vulnerability in ua-parser-js version  - https://github.com/advisories/GHSA-fhg7-m89q-25r3
Regular Expression Denial of Service in ua-parser-js - https://github.com/advisories/GHSA-662x-fhqg-9p8v
ua-parser-js Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - https://github.com/advisories/GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/ua-parser-js

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/underscore

ws  6.0.0 - 6.2.1
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/puppeteer/node_modules/ws

xmlhttprequest-ssl  <=1.6.1
Severity: critical
Improper Certificate Validation in xmlhttprequest-ssl - https://github.com/advisories/GHSA-72mh-269x-7mh5
Arbitrary Code Injection - https://github.com/advisories/GHSA-h4j5-c7cj-74xg
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/xmlhttprequest-ssl
  engine.io-client  1.6.0 - 1.8.5 || 2.0.0 - 3.3.2 || 3.4.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client

y18n  <3.2.2
Severity: high
Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix --force`
Will install browser-sync@2.29.1, which is outside the stated dependency range
node_modules/y18n

yargs-parser  <=5.0.0 || 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install node-sass@8.0.0, which is a breaking change
node_modules/kss/node_modules/yargs-parser
node_modules/sass-graph/node_modules/yargs-parser
node_modules/stylelint-no-browser-hacks/node_modules/yargs-parser
node_modules/yargs-parser

171 vulnerabilities (2 low, 27 moderate, 96 high, 46 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Steps to reproduce

cd starterkit
npm audit

Proposed resolution

Remaining tasks

🐛 Bug report
Status

Needs work

Version

1.0

Component

Code

Created by

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @cilefen
  • Assigned to Arshu1864
  • 🇮🇳India Arshu1864

    I take full responsibility of solving this issue

  • 🇬🇧United Kingdom natts London

    @Arshu1864: As the new module maintainer, I'm OK with having others work on the outstanding issues, but I need to know when you expect to resolve this specific issue by?

  • 🇮🇳India Arshu1864

    I'm fixing the issue and will hopefully be resolved by end of this week

  • Issue was unassigned.
  • Status changed to Needs review over 1 year ago
  • 🇮🇳India Arshu1864

    I have fixed the issue and tested it now it is working fine. There is on npm audit there is showing found 0 vulnerabilities. I am attaching patch alongside with it please check.

  • 🇬🇧United Kingdom natts London

    Thanks.

    I can't test it as I don't know which release you were working from? The hash doesn't match 8.x-1.15 (4de9cd3). Which release is the patch for?

    curl https://www.drupal.org/files/issues/2023-04-13/npm-dependencies-3353211-%236.patch | git apply -v --index
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 1132k  100 1132k    0     0  3342k      0 --:--:-- --:--:-- --:--:-- 3342k
    Checking patch starterkit/package-lock.json...
    error: starterkit/package-lock.json: does not match index
    Checking patch starterkit/package.json...
    error: starterkit/package.json: does not match index
  • 🇮🇳India Arshu1864

    I have cloned from the 8.x-1.x branch and my npm version is 9.6.4 and node version is v16.19.1

  • 🇬🇧United Kingdom natts London

    OK, but what is the hash or the commit message of the commit that you cloned? When I am cloning from the commit tagged with the latest release (8.x-1.15), hash 4de9cd3, your patch doesn't work.

  • 🇮🇳India Arshu1864

    Sorry the while creating patch file the # got added I had renamed the file and added along with this comment

  • 🇬🇧United Kingdom natts London

    Thanks but that still doesn't work:

    $ curl https://www.drupal.org/files/issues/2023-04-13/npm-dependencies-3353211-6.patch | git apply -v --index
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 1132k  100 1132k    0     0   176k      0  0:00:06  0:00:06 --:--:--  276k
    Checking patch starterkit/package-lock.json...
    error: starterkit/package-lock.json: does not match index
    Checking patch starterkit/package.json...
    error: starterkit/package.json: does not match index

    Again, which commit (give me the commit message, date/time, hash, or link to it) does your patch work against? The commit log is here.

  • @arshu1864 opened merge request.
  • 🇮🇳India Arshu1864

    https://git.drupalcode.org/project/cog/-/merge_requests/2
    This is the merge request I have created please check

  • 🇺🇸United States greggles Denver, Colorado, USA

    For what it's worth the patch in #10 applies for me to ca8975e9 on the tip of what code is in gitlab:

    greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git status
    On branch 8.x-1.x
    Your branch is up to date with 'origin/8.x-1.x'.
    
    nothing to commit, working tree clean
    greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git log | head
    commit ca8975e981f8c2c277e524966330685e15743fb7
    Author: Dave Nattriss <dave@natts.com>
    Date:   Wed Apr 12 05:19:18 2023 +0100
    
        Updated deprecated spaceless usage in toolbar.html.twig, as per:
        https://www.drupal.org/project/cog/issues/3261882
    
    commit 4de9cd30ba0a26b90e4443623461fa9835888ab9
    Merge: a80b097 4cf4b08
    Author: Aaron Ellison <aaron.ellison@acquia.com>
    greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> curl -O https://www.drupal.org/files/issues/2023-04-13/npm-dependencies-3353211-6.patch
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 1132k  100 1132k    0     0  2278k      0 --:--:-- --:--:-- --:--:-- 2307k
    greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git apply --index < npm-dependencies-3353211-6.patch
    greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)> git status
    On branch 8.x-1.x
    Your branch is up to date with 'origin/8.x-1.x'.
    
    Changes to be committed:
      (use "git restore --staged <file>..." to unstage)
    	modified:   starterkit/package-lock.json
    	modified:   starterkit/package.json
    
    Untracked files:
      (use "git add <file>..." to include in what will be committed)
    	npm-dependencies-3353211-6.patch
    
    greggles@GKnaddison-MBP ~/c/cog (8.x-1.x)>
    

    I do think the merge request is better to have, though, thanks for making that.

    Do all the features of the theme work with these latest udpates? I'm surprised there wasn't any change required beyond the package files.

  • 🇬🇧United Kingdom natts London

    I've now been able to get the patch working, after starting with a fresh checkout on the 8.x-1.x branch (sorry about that). Running 'npm audit' confirms all vulnerabilities have been addressed.

    However, I don't know what theme functionality this could affect or break. Does anyone have experience with travis? There are some tests available in the project.

  • 🇫🇮Finland heikkiy Oulu

    Most of the NPM packages updated are related to linting tools and build tools. If all the tools and NPM commands work after the upgrade, it should be good to go. There are three different commands for gulp which should be tested that they still work.

    The travis tests seem to just run the NPM commands to make sure that they are working:

    npm install -g gulp-cli
    npm install -g npm@latest
    npm run install-tools
    
    gulp
    
  • Status changed to Needs work over 1 year ago
  • 🇫🇮Finland heikkiy Oulu

    Marking as Needs work because of the above comment.

  • 🇬🇧United Kingdom natts London

    OK, so is anyone reading this able to help with that? I really don't have the experience with Gulp or Webpack etc., but am happy to approve merge requests to get this theme marked safe again.

  • 🇫🇮Finland heikkiy Oulu

    @natts We will investigate in Exove if we can help out.

Production build 0.71.5 2024