Too many vulnerabilities on fresh vue project

[JoaoHamerski]

Version

4.5.13

Environment info

System:
    OS: Linux 5.11 Ubuntu 20.04.3 LTS (Focal Fossa)
    CPU: (4) x64 Intel(R) Core(TM) i5-7200U CPU @ 2.50GHz
  Binaries:
    Node: 14.17.5 - /usr/local/bin/node
    Yarn: 1.22.11 - /usr/local/bin/yarn
    npm: 7.23.0 - /usr/local/bin/npm
  Browsers:
    Chrome: Not Found
    Firefox: 91.0.2
  npmPackages:
    @vue/babel-helper-vue-jsx-merge-props:  1.2.1 
    @vue/babel-helper-vue-transform-on:  1.0.2 
    @vue/babel-plugin-jsx:  1.0.7 
    @vue/babel-plugin-transform-vue-jsx:  1.2.1 
    @vue/babel-preset-app:  4.5.13 
    @vue/babel-preset-jsx:  1.2.4 
    @vue/babel-sugar-composition-api-inject-h:  1.2.1 
    @vue/babel-sugar-composition-api-render-instance:  1.2.4 
    @vue/babel-sugar-functional-vue:  1.2.2 
    @vue/babel-sugar-inject-h:  1.2.2 
    @vue/babel-sugar-v-model:  1.2.3 
    @vue/babel-sugar-v-on:  1.2.3 
    @vue/cli-overlay:  4.5.13 
    @vue/cli-plugin-babel: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-eslint: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-router: ~4.5.0 => 4.5.13 
    @vue/cli-plugin-vuex: ~4.5.0 => 4.5.13 
    @vue/cli-service: ~4.5.0 => 4.5.13 
    @vue/cli-shared-utils:  4.5.13 
    @vue/component-compiler-utils:  3.2.2 
    @vue/eslint-config-standard: ^5.1.2 => 5.1.2 
    @vue/preload-webpack-plugin:  1.1.2 
    @vue/web-component-wrapper:  1.3.0 
    eslint-plugin-vue: ^6.2.2 => 6.2.2 
    vue: ^2.6.11 => 2.6.14 
    vue-eslint-parser:  7.11.0 
    vue-hot-reload-api:  2.3.4 
    vue-loader:  15.9.8 (16.5.0)
    vue-router: ^3.2.0 => 3.5.2 
    vue-style-loader:  4.1.3 
    vue-template-compiler: ^2.6.11 => 2.6.14 
    vue-template-es2015-compiler:  1.9.1 
    vuex: ^3.4.0 => 3.6.2 
  npmGlobalPackages:
    @vue/cli: Not Found

Steps to reproduce

Create a new project with vue create project-name

• Select "Manullay select features"

 ◉ Choose Vue version

 ◉ Babel

 ◯ TypeScript

 ◯ Progressive Web App (PWA) Support

 ◉ Router

 ◉ Vuex

 ◉   CSS Pre-processors

 ◉ Linter / Formatter

 ◯ Unit Testing

 ◯ E2E Testing

[ENTER]

❯ 2.x 

  3.x 

[ENTER]

? Use history mode for router? (Requires proper server setup for index fallback in production) (Y/n)  n

[ENTER]

? Pick a CSS pre-processor (PostCSS, Autoprefixer and CSS Modules are supported by default): 


  Sass/SCSS (with dart-sass) 

❯ Sass/SCSS (with node-sass) 

  Less 

  Stylus 

[ENTER]

? Pick a linter / formatter config: 


  ESLint with error prevention only 

  ESLint + Airbnb config 

❯ ESLint + Standard config 

  ESLint + Prettier 

[ENTER]

? Pick additional lint features: (Press \<space> to select, \<a> to toggle all, \<i> to invert selection)

❯◉ Lint on save

 ◯ Lint and fix on commit

[ENTER]

? Where do you prefer placing config for Babel, ESLint, etc.? (Use arrow keys)

❯ In dedicated config files 

  In package.json

[ENTER]

At the end the result is:

16 vulnerabilities (11 moderate, 5 high)

What is expected?

Maybe less vulnerabilities?

What is actually happening?

To many deprecated dependencies

[screetBloom]

From my understanding, the fact is that these vulnerabilities don't really affect our business projects

In addition, the maintainers are actively working on these

• Upgrade webpack-dev-server to resolve security vulnerability #6690

[JoaoHamerski]

From my understanding, the fact is that these vulnerabilities don't really affect our business projects

In addition, the maintainers are actively working on these

• Upgrade webpack-dev-server to resolve security vulnerability #6690

@screetBloom I hope you're right, because the more dependencies i add more warnings i get because the deprecated ones.

[N1GHTR4NG3R]

On a fresh install I get all these deprecated packages:
npm WARN deprecated @hapi/[email protected]: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @hapi/[email protected]: This version has been deprecated and is no longer supported or maintained npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated [email protected]: this library is no longer supported npm WARN deprecated [email protected]: The apollo-tracingpackage is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated [email protected]: Thegraphql-extensionsAPI has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/ npm WARN deprecated @hapi/[email protected]: Moved to 'npm install @sideway/address' npm WARN deprecated [email protected]: The functionality provided by theapollo-cache-controlpackage is built in toapollo-server-core starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details. npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated @hapi/[email protected]: This version has been deprecated and is no longer supported or maintained npm WARN deprecated @hapi/[email protected]: Switch to 'npm install joi' npm WARN deprecated [email protected]: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead

That is ALOT of deprecated packages too include, with 23 Vulnerabilities on a fresh install. And then fails every time when I try too build with a further 43 Vulnerabilities

[himynameisubik]

Just even installing Vue CLI with
npm install -g @vue/cli

Ends up with: 23 vulnerabilities (4 moderate, 19 high)

[MentalGear]

Just even installing Vue CLI with npm install -g @vue/cli

Ends up with: 23 vulnerabilities (4 moderate, 19 high)

After just installing cli globally, it's
15 vulnerabilities (8 moderate, 7 high)

[lbineau]

Same here, I believe these are not "real" vulnerabilities. But still doesn't get well along security reports and log files...

[sfwhite]

This needs attention. We're looking at potentially adopting Vue for some of our projects, but security will not approve with this many vulnerabilities on a clean install. All attempts to rectify the dev dependency issues manually have resulted in even more errors. Please do a clean sweep of your official packages and clear your audits.

[Akryum]

We're looking at potentially adopting Vue for some of our projects, but security will not approve with this many vulnerabilities on a clean install.

This is very dumb. npm audit is broken by design and is just useless noise. Spending so much time on this non-issue is just wasting everybody's time (especially maintainers').

clear your audits

This is way to much work for literally zero benefits.