High Severity Security Warnings on Initial aurelia-cli Install

Hello, just started to explore Aurelia for the first time as a possible tool I could use on my next project!

I’ve just tried installing the CLI for the first time today for the first time ever, on Mac OS 13.0.1, and saw all of the following deprecations and warnings, and I have no idea what to do. Haven’t seen any other posts anywhere about this recently. I have no idea how I should proceed. Can anyone give me some guidance?

(~)$sudo npm install aurelia-cli -g
Password:
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
added 613 packages, and audited 614 packages in 35s


6 **high** severity vulnerabilities

I really appreciate any attention anyone gives this post.

Most of them are outdated deps of gulp v4 which is not in our control.
Sadly the upcoming gulp v5 is in a half-dead state.

huocp@Chunpengs-MacBook-Pro ~/playground> npm ls source-map-url
playground@ /Users/huocp/playground
└─┬ aurelia-cli@3.0.1
  └─┬ gulp@4.0.2
    └─┬ glob-watcher@5.0.5
      └─┬ anymatch@2.0.0
        └─┬ micromatch@3.1.10
          └─┬ snapdragon@0.8.2
            └─┬ source-map-resolve@0.5.3
              └── source-map-url@0.4.1

However, if you use latest node plus latest npm v8+, we do have some “patch” in app’s package.json to force upgrading those outdated packages.

You don’t need to install aurelia-cli globally anymore,
au new command can be replaced with npx makes aurelia/v1 totally.

Then in the app, you can use npx au run (and other au commands) without a global installed cli.
npx au runs the locally installed au inside your app’s node_modules.

In your app’s package.json, you can find the patch:

  "overrides": {
    "chokidar": "^3.0.0",
    "glob-stream": "^7.0.0",
    "glob-parent": "^6.0.0",
    "micromatch": "^4.0.0"
  }

That bypasses those gulp v4 issues. I will check if we can directly add this patch to aurelia-cli’s package.json.

Update: the “overrides” in aurelia-cli doesn’t affect end user’s app, nor the global installation So no easy patch for aurelia-cli itself.

Wow, thanks so much for posting, and so soon! Do you mean to imply that I should just proceed, ignoring all of this?

I really don’t know that much about NodeJS; I’ve only used it to build Cordova apps a while ago. What do these overrides do for us if it doesn’t affect the end user app or the global installation? Does this mean a local installation will be affected–is this the benefit of a local installation? Is NodeJS ver. 18.12.1 LTS good enough, or do I need the newest version to benefit in some way from this?

Just to be clear, I’m working with Aurelia ver. 1, correct? If so, where can I find information on what, if any, breaking changes will be made in Aurelia 2? I’ve been looking around to better understand the differences and what I should be using for the the project I’ve been hired to build, given that once a final product may be delivered, it may be several years before anyone is hired to update it.

My opinion on what to use will carry the most weight, and I’ve been quite excited to have the opportunity to use Aurelia in a project in which it appears to be a great fit for the particulars of what needs to happen. I’ve been following this project since before a stable first version was released. Now I’m trying to evaluate how usable it is by trying it out. I hope there aren’t many potential users who would be spooked like I was by the results of trying to install it.

Again, thanks so much for your in-depth, timely post. It increases my confidence that there is a community of enthusiastic users who are willing to help.

The overrides only affects your project (the app, per app), not the global installation.
The result is at least you would not see so many warnings in your app.
Latest nodejs v18 LTS is good enough.

Nodejs security warnings normally only applies to Nodejs server process where you use Nodejs to run the web server. Since we only use gulp v4 to help to run au commands to run build/test/dev-server, those warnings are almost irrelevant to your end product (the bundled js files for deployment).

Yes, you are working with Aurelia v1.

Aurelia v2 is still in alpha, but quite stable, the doc site is https://docs.aurelia.io.
Both v1 and v2 are fine for new projects. You don’t need aurelia-cli for Aurelia v2.

Thanks so much. I now understand the (in)significance of the warnings for what I’m doing with NodeJS.

I introduced a new topic on finding documentation on what changes I need to plan for with v2, so it’s easier for others to find.

Thanks so much for responding and bearing with me while I get up to speed on this!

What a polite and informative user. Glad to have you here. I hope your new experience with Aurelia has been successful