DEV Community

Pacharapol Withayasakpunt
Pacharapol Withayasakpunt

Posted on

Are security fixes safe to automate?

Recently, I received a lot of warnings about these on GitHub security, that npm audit cannot even detect yet. And, GitHub cannot automate the fixes either.

    "acorn": ">=5.7.4",
    "minimist": ">=1.2.2"
Enter fullscreen mode Exit fullscreen mode

After looking up, and also realize that Yarn has selective dependency resolutions, I realize that I can do this on NPM as well.

"resolutions": {
  "acorn": ">=5.7.4",
  "minimist": ">=1.2.2"
}
Enter fullscreen mode Exit fullscreen mode
rm -rf node_modules
npx npm-force-resolutions && npm i
Enter fullscreen mode Exit fullscreen mode

But still, It stops me from using Pug.js in Vue. So, I decided to not fix Acorn...

├─┬ @vue/cli-plugin-babel@4.2.3
│ └─┬ webpack@4.42.0
│   └── acorn@6.4.1 
├─┬ @vue/cli-service@4.2.3
│ ├── acorn@7.1.1 
│ └─┬ webpack-bundle-analyzer@3.6.1
│   └── acorn@7.1.1 
└─┬ vue-cli-plugin-pug@1.0.7
  └─┬ pug@2.0.4
    ├─┬ pug-code-gen@2.0.2
    │ └─┬ with@5.1.1
    │   ├── acorn@3.3.0 
    │   └─┬ acorn-globals@3.1.0
    │     └── acorn@4.0.13 
    └─┬ pug-lexer@4.1.0
      └─┬ is-expression@3.0.0
        └── acorn@4.0.13
Enter fullscreen mode Exit fullscreen mode

Not sure if this is safe. After some reviews, it seems that this is totally Pug.js's fault. Not that I have alternatives (clean syntax without need for explicit closing tags.)

I did hear a lot that npm audit fix leads to broken dependencies... Also, is Node.js / NPM a security hell?

Top comments (1)

Collapse
 
chrisdsaldivar profile image
Chris Saldivar

I'm not sure what your error with Vue is; but I used the following resolutions to fix the security issue.

  "resolutions": {
    "minimist": "^1.2.5",
    "acorn": ">=5.7.4",
    "with": "^6.0.0"
  }

I had to force with to upgrade too since I was getting the following error otherwise.

Error: Cannot find module 'acorn/dist/walk'

Turns out with was using acorn but they dropped that dependency back in 2016 but whatever was pulling in with was using an old version. So the newer version of with uses babel instead of acorn.