Removing vulnerabilities in new project (v1 app skeleton)


How should I remove all the security vulnerabilities when starting a new project using “au new”. Some of these seem quite severe:

dem@MacBook temp % npm i -g aurelia-cli
npm WARN deprecated source-map-url@0.4.1: (removed URL)
npm WARN deprecated urix@0.1.0: Please see (removed URL)
npm WARN deprecated resolve-url@0.2.1: (removed URL)
npm WARN deprecated source-map-resolve@0.5.3: See (removed URL)
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

NNote: I had to remove the URL’s from the warnings above to post this message

If it matters, I’m using Node 16 LTS and am trying to create a default Typescript app.

Sorry, I’m pretty much a complete beginner with this stuff.

Thank you for any pointers.


Unfortunately, except querystring, the rest are all dependencies of gulp v4.
Gulp v4 has not released any new version for 3 years :frowning:


Thank you very much for your response. Definitely a bit disappointing to need to wait for a Gulp update. The Gulp forum makes it seem like v5 should be coming “soon”, but that is a very impressively broad library…

I need to assume that external vulnerability scanning tools will notice these outdated libraries, which would cause us problems with government clients.

There does not seem to be a path forward for v1 at this time.

Best regards,


@dem you do not need gulp to use aurelia v1, we use webpack for our bundling, are there other skeletons for v1 that do not use gulp?

@huochunpeng ^^

for audits you’d actually inspect the prod dependencies as that is what you ship. Gulp is merely a devdependency for building your app

1 Like

aurelia-cli uses gulp to drive all those “au” commands like “au generate” and “au build”.

Thank you all for taking the time to explain this to me.

As I mentioned, I’m a complete beginner at this.

Best regards,