npm audit issues

Hi Team,

When I generated a new add-in app with following options, I'm getting these items in the `npm audit` response.

```
? What is the name of your add-in? (geotab add in) Run-async wrapped function (sync) returned a promise but async() callback must be executed to resolve.
? What is the name of your add-in? my-add-in
? What type of add-in do you want to create? Geotab Drive Add-In Page
? What is the support contact email address for the add-in? support@example.com
? What is the deployment host URL? https://static.example.com/geotab
? What is the add-in menu item name? rickRoll
   create package.json
   create webpack.common.js
   create webpack.development.js
   create webpack.production.js
   create webpack.local.js
   create .gitignore
   create .gitattributes
   create src/app/rickRoll.html
   create src/app/index.js
   create src/app/config.json
   create src/app/scripts/main.js
   create src/app/styles/main.css
   create src/app/images/icon.svg
   create test/functional/mocks/mocks.js
   create test/functional/test.js
   create zip.util.js
   create src/.dev/api.js
   create src/.dev/rison.js
   create src/.dev/index.js
   create src/.dev/state.js
   create src/.dev/login/loginTemplate.js
   create src/.dev/login/loginLogic.js
   create src/.dev/login/takePictureDialog/Dialog.js
   create src/.dev/login/takePictureDialog/UploadImageDialog.js
   create src/.dev/login/takePictureDialog/CaptureImageDialog.js
   create src/.dev/navbar/navbar.js
   create src/.dev/navbar/NavBuilder.js
   create src/.dev/navbar/NavFactory.js
   create src/.dev/navbar/NavHandler.js
   create src/.dev/navbar/props.js
   create src/.dev/loaders/css-sandbox/css-sandbox.js
   create src/.dev/images/Font_Awesome_5_solid_chevron-left.svg
   create src/.dev/images/close-round.svg
   create src/.dev/styles/styleGuide.css
   create src/.dev/styles/styleGuideMyGeotab.html
   create src/.dev/ToggleHandler.js

Changes to package.json were detected.

Running npm install for you to install the required dependencies.
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated source-map-resolve@0.6.0: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated puppeteer@10.4.0: < 21.5.0 is no longer supported

> rickroll@1.0.0 preinstall
> npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions
```

### npm audit report
```
axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  wait-on  5.0.0-rc.0 - 7.1.0
  Depends on vulnerable versions of axios
  node_modules/wait-on
    start-server-and-test  1.11.1 - 2.0.2
    Depends on vulnerable versions of wait-on
    node_modules/start-server-and-test

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install imagemin-gifsicle@4.1.0, which is a breaking change
node_modules/bin-wrapper/node_modules/got
node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/bin-wrapper/node_modules/download
  node_modules/download
    bin-build  >=2.1.2
    Depends on vulnerable versions of download
    node_modules/bin-build
      gifsicle  >=3.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/gifsicle
        imagemin-gifsicle  >=4.2.0
        Depends on vulnerable versions of gifsicle
        node_modules/imagemin-gifsicle
      mozjpeg  >=4.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/mozjpeg
        imagemin-mozjpeg  >=5.1.0
        Depends on vulnerable versions of mozjpeg
        node_modules/imagemin-mozjpeg
      pngquant-bin  >=3.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/pngquant-bin
        imagemin-pngquant  >=4.1.0
        Depends on vulnerable versions of pngquant-bin
        node_modules/imagemin-pngquant
    bin-wrapper  >=0.4.0
    Depends on vulnerable versions of bin-version-check
    Depends on vulnerable versions of download
    node_modules/bin-wrapper

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install imagemin-gifsicle@4.1.0, which is a breaking change
node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

node-fetch  <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install puppeteer@22.4.1, which is a breaking change
node_modules/node-fetch
  puppeteer  10.0.0 - 13.1.1
  Depends on vulnerable versions of node-fetch
  node_modules/puppeteer

semver-regex  <=3.1.3 || 4.0.0 - 4.0.2
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix --force`
Will install imagemin-gifsicle@4.1.0, which is a breaking change
node_modules/find-versions/node_modules/semver-regex
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

21 vulnerabilities (11 moderate, 10 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
```

When can we see a new update on the dependencies? Also, any plans on migrating to newer versions on Yeoman?

Thanks,
Hiren

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

npm audit issues #52

npm audit report

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

npm audit issues #52

Description

npm audit report

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions