Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub generates security alerts on yarn.lock for acorn and clean-css for fresh project generated by npx express-generator --view=pug #258

Closed
codingthat opened this issue Apr 22, 2020 · 3 comments
Closed

GitHub generates security alerts on yarn.lock for acorn and clean-css for fresh project generated by npx express-generator --view=pug #258

codingthat opened this issue Apr 22, 2020 · 3 comments

Comments

@codingthat
Copy link

First, create a new GitHub repo with .gitignore set to Node.

Then run npx express-generator --view=pug and push the results:

~ $ git clone git@github.com:codingthat/express-generator-test.git
Cloning into 'express-generator-test'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
~ $ cd express-generator-test/
~/express-generator-test (master) $ npx express-generator --view=pug
npx: installed 10 in 1.989s
destination is not empty, continue? [y/N] y

   create : public/
   create : public/javascripts/
   create : public/images/
   create : public/stylesheets/
   create : public/stylesheets/style.css
   create : routes/
   create : routes/index.js
   create : routes/users.js
   create : views/
   create : views/error.pug
   create : views/index.pug
   create : views/layout.pug
   create : app.js
   create : package.json
   create : bin/
   create : bin/www

   install dependencies:
     $ npm install

   run the app:
     $ DEBUG=express-generator-test:* npm start

~/express-generator-test (master) $ yarn
yarn install v1.22.4
info No lockfile found.
[1/4] Resolving packages...
warning pug > pug-code-gen > constantinople > babel-types > babel-runtime > core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 7.49s.
~/express-generator-test (master) $ git add .
~/express-generator-test (master) $ git commit -m "Default project"
[master 7f62013] Default project
 10 files changed, 1009 insertions(+)
 create mode 100644 app.js
 create mode 100755 bin/www
 create mode 100644 package.json
 create mode 100644 public/stylesheets/style.css
 create mode 100644 routes/index.js
 create mode 100644 routes/users.js
 create mode 100644 views/error.pug
 create mode 100644 views/index.pug
 create mode 100644 views/layout.pug
 create mode 100644 yarn.lock
~/express-generator-test (master) $ git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (14/14), done.
Writing objects: 100% (17/17), 15.42 KiB | 1.93 MiB/s, done.
Total 17 (delta 1), reused 0 (delta 0)
remote: Resolving deltas: 100% (1/1), done.
To github.com:codingthat/express-generator-test.git
   c10c6c2..7f62013  master -> master
~/express-generator-test (master) $

Back at GitHub, you'll see this:

We found potential security vulnerabilities in your dependencies.

Clicking the button to view alerts will show these two:

Security alerts for acorn and clean-css

acorn

The acorn one seems to not even be automatically fixable:

Upgrade acorn to version 5.7.4 or later.

Clicking the details link gives a short message entitled "Dependabot cannot update to the required version":

Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.

clean-css

Likewise, clean-css can't be fixed:

Upgrade clean-css to version 4.1.11 or later.

The details link shows the same short message as for acorn.

It's not immediately clear from looking at yarn.lock what the original dependencies even are, and acorn and clean-css are not present in package.json, so they probably need to be manually traced. It's also not clear what the conflict is from the short message on GitHub.
@codingthat codingthat mentioned this issue Apr 22, 2020
Closed
@dougwilson
Copy link
Contributor

It is likely these are dependencies of dependencies, etc. There may be some projects that need to be notified to update. If you think there is something the generator can do to resolve directly, please let us know and we can reopen.

@codingthat
Copy link
Author

Thanks @dougwilsonyarn why acorn and yarn why clean-css both point to Pug, so I'll follow up with them.

@codingthat codingthat mentioned this issue Apr 22, 2020
Closed
@codingthat
Copy link
Author

codingthat commented Apr 22, 2020
edited
Loading

Actually @dougwilson it turns out that the clean-css warning can be solved by bumping the version of pug that the generator uses to at least the last release, 2.0.4. (Currently it comes out as 2.0.0-beta11.) There's already a PR to bring it up to 2.0.3: #230

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dougwilson @codingthat