[Solved] Aurelia-cli: "Default TypeScript App" warns about deprecated packages and high severity vulnerability in serialize-javascript-2.1.2

Trying out Aurelia for the first time
When following the tutorial at http://aurelia.io/docs/tutorials/creating-a-todo-app#setup
I installed node-v12.18.3-x64.msi
(Then tried with node-v14.8.0-x64.msi, but same)

npm install -g aurelia-cli

npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated buffer@5.0.5: This version of 'buffer' is out-of-date. You must update to v5.0.8 or newer
C:\Users\Leion\AppData\Roaming\npm\aurelia -> C:\Users\Leion\AppData\Roaming\npm\node_modules\aurelia-cli\bin\aurelia-cli.js
C:\Users\Leion\AppData\Roaming\npm\au -> C:\Users\Leion\AppData\Roaming\npm\node_modules\aurelia-cli\bin\aurelia-cli.js
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\aurelia-cli\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ aurelia-cli@1.3.1
updated 1 package in 12.954s

Creating a “Default TypeScript” via “au new” gives warning about vulnerability

Would you like to install all the npm dependencies? · Yes
Installing project dependencies...

npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated buffer@5.0.5: This version of 'buffer' is out-of-date. You must update to v5.0.8 or newer
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

> core-js@2.6.11 postinstall C:\Users\Leion\aurelia-app-2\node_modules\core-js
> node -e "try{require('./postinstall')}catch(e){}"

Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!

The project needs your help! Please consider supporting of core-js on Open Collective or Patreon:
> https://opencollective.com/core-js
> https://www.patreon.com/zloirock

Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)


> ejs@2.7.4 postinstall C:\Users\Leion\aurelia-app-2\node_modules\ejs
> node ./postinstall.js

Thank you for installing EJS: built with the Jake JavaScript build tool (https://jakejs.com/)

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^1.2.7 (node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@^2.1.2 (node_modules\jest-haste-map\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
npm WARN notsup Unsupported engine for watchpack-chokidar2@2.0.0: wanted: {"node":"<8.10.0"} (current: {"node":"14.8.0","npm":"6.14.8"})
npm WARN notsup Not compatible with your version of node/npm: watchpack-chokidar2@2.0.0
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.1.2 (node_modules\watchpack\node_modules\chokidar\node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 1476 packages from 711 contributors and audited 1487 packages in 29.788s

43 packages are looking for funding
run `npm fund` for details

found 1 high severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
Project dependencies were installed.

npm audit

C:\Users\Leion\aurelia-app>npm audit

=== npm audit security report ===

# Run npm install --save-dev copy-webpack-plugin@6.0.3 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

High Remote Code Execution

Package serialize-javascript

Dependency of copy-webpack-plugin [dev]

Path copy-webpack-plugin > serialize-javascript

More info https://npmjs.com/advisories/1548

I guess this is the package:

C:\Users\Leion\aurelia-app\node_modules\serialize-javascript\package.json

“_resolved”: “https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz”,
“_shasum”: “ecec53b0e0317bdc95ef76ab7074b7384785fa61”,

Could the packages for the aurelia-cli be upgraded so WARN deprecated and this vulnerability is fixed when doing a fresh install or did I screw something up?

Edit: This is on Windows. Doing above steps on Fedora Desktop 32 I get the deprecated warnings but not the high severity vulnerability.

1 Like

Thanks for reporting this. Let’s nudge @huochunpeng :stuck_out_tongue:
Or maybe, can you help PR to update the dependencies in our template project?

Try npm i -g aurelia-cli again, it will upgrade aurelia-cli to latest v2.0.0.
Create another project, there is no vulnerability warning in latest skeleton.

2 Likes