How should I remove all the security vulnerabilities when starting a new project using “au new”. Some of these seem quite severe:
dem@MacBook temp % npm i -g aurelia-cli
npm WARN deprecated firstname.lastname@example.org: (removed URL)
npm WARN deprecated email@example.com: Please see (removed URL)
npm WARN deprecated firstname.lastname@example.org: (removed URL)
npm WARN deprecated email@example.com: See (removed URL)
npm WARN deprecated firstname.lastname@example.org: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated email@example.com: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated firstname.lastname@example.org: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
NNote: I had to remove the URL’s from the warnings above to post this message
If it matters, I’m using Node 16 LTS and am trying to create a default Typescript app.
Sorry, I’m pretty much a complete beginner with this stuff.
Thank you for any pointers.
Unfortunately, except querystring, the rest are all dependencies of gulp v4.
Gulp v4 has not released any new version for 3 years
Thank you very much for your response. Definitely a bit disappointing to need to wait for a Gulp update. The Gulp forum makes it seem like v5 should be coming “soon”, but that is a very impressively broad library…
I need to assume that external vulnerability scanning tools will notice these outdated libraries, which would cause us problems with government clients.
There does not seem to be a path forward for v1 at this time.
@dem you do not need gulp to use aurelia v1, we use webpack for our bundling, are there other skeletons for v1 that do not use gulp?
for audits you’d actually inspect the prod dependencies as that is what you ship. Gulp is merely a devdependency for building your app
aurelia-cli uses gulp to drive all those “au” commands like “au generate” and “au build”.
Thank you all for taking the time to explain this to me.
As I mentioned, I’m a complete beginner at this.