Removing vulnerabilities in new project (v1 app skeleton)

Hi,

How should I remove all the security vulnerabilities when starting a new project using “au new”. Some of these seem quite severe:

dem@MacBook temp % npm i -g aurelia-cli
npm WARN deprecated source-map-url@0.4.1: (removed URL)
npm WARN deprecated urix@0.1.0: Please see (removed URL)
npm WARN deprecated resolve-url@0.2.1: (removed URL)
npm WARN deprecated source-map-resolve@0.5.3: See (removed URL)
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

NNote: I had to remove the URL’s from the warnings above to post this message

If it matters, I’m using Node 16 LTS and am trying to create a default Typescript app.

Sorry, I’m pretty much a complete beginner with this stuff.

Thank you for any pointers.

David

Unfortunately, except querystring, the rest are all dependencies of gulp v4.
Gulp v4 has not released any new version for 3 years :frowning:

Hi,

Thank you very much for your response. Definitely a bit disappointing to need to wait for a Gulp update. The Gulp forum makes it seem like v5 should be coming “soon”, but that is a very impressively broad library…

I need to assume that external vulnerability scanning tools will notice these outdated libraries, which would cause us problems with government clients.

There does not seem to be a path forward for v1 at this time.

Best regards,

David

@dem you do not need gulp to use aurelia v1, we use webpack for our bundling, are there other skeletons for v1 that do not use gulp?

@huochunpeng ^^

for audits you’d actually inspect the prod dependencies as that is what you ship. Gulp is merely a devdependency for building your app

1 Like

aurelia-cli uses gulp to drive all those “au” commands like “au generate” and “au build”.

Thank you all for taking the time to explain this to me.

As I mentioned, I’m a complete beginner at this.

Best regards,

David