Should I Be Worried About 7 High Severity Vulnerabilities?

[fpolli]

I init Adonis with the API starter kit and when I try to install another package (vite or bouncer are what I have tried), I get this from npm:

7 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

Ok, so I run npm audit to see what they are:

# npm audit report

lodash.set  *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install @japa/[email protected], which is a breaking change
node_modules/lodash.set
  api-contract-validator  >=2.1.0
  Depends on vulnerable versions of lodash.set
  node_modules/api-contract-validator
    @japa/assert  >=1.3.0
    Depends on vulnerable versions of api-contract-validator
    node_modules/@japa/assert
      @japa/api-client  >=2.0.0-0
      Depends on vulnerable versions of @japa/assert
      node_modules/@japa/api-client
        @adonisjs/auth  5.0.0 || >=9.0.0-0
        Depends on vulnerable versions of @adonisjs/session
        Depends on vulnerable versions of @japa/api-client
        Depends on vulnerable versions of @japa/plugin-adonisjs
        node_modules/@adonisjs/auth
        @adonisjs/session  >=7.0.0-0
        Depends on vulnerable versions of @japa/api-client
        node_modules/@adonisjs/session
        @japa/plugin-adonisjs  >=2.0.0-0
        Depends on vulnerable versions of @japa/api-client
        node_modules/@japa/plugin-adonisjs

7 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

This looks bad. If I take npm's advice and fix these vulnerabilities, I am unable to install a functioning server. If I ignore them and just forge ahead, I get to the beloved "started HTTP server on localhost:3333" message.

When I do select fix, I get a whole lot of peer dependency warnings or even errors.

So, do I need to worry about these high severity vulnerabilities? It sounds bad. Hackers are like water.

Thank you for your time.

[Julien-R44]

Nope, you shouldn't worry

https://overreacted.io/npm-audit-broken-by-design/

[fpolli]

Thank you for the link. It was educational. That poor guy must be out of his mind with frustration if almost three years after his article, we are in the same place.

…

On Fri, Feb 16, 2024 at 6:42 AM Julien Ripouteau ***@***.***> wrote: Nope, you shouldn't worry https://overreacted.io/npm-audit-broken-by-design/ — Reply to this email directly, view it on GitHub <#4410 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABJXG7XSWSOSUKPIECU5XF3YT5V7HAVCNFSM6AAAAABDMEVONGVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4DIOJTGU2TM> . You are receiving this because you authored the thread.Message ID: ***@***.***>

-- Frederick R. Polli ***@***.*** Additional contact information available upon request