[email protected] fresh install with NPM critical severity vulnerabilities

[lluz]

Goals

At the moment of my writing

1. Find out why suddenly there are 8 critical severity vulnerabilities
2. Adding the devDependency "eslint": "^9.35.0", puts it at 15 critical severity vulnerabilities
3. Adding the devDependency "eslint-config-next": "15.5.2", puts it at 29 critical severity vulnerabilities

Non-Goals

Background

This is pretty recent

Proposal

Confirm this problem

[Fazliddin-04]

44 critical severity vulnerabilities

[icyJoseph]

I think it might be related to the supply chain attack?

• https://news.ycombinator.com/item?id=45169794
• https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised

I see a lot of the items printed by npm audit, are packages in the compromised list.

[lluz]

npm audit states:

Malware in color-convert - GHSA-ch7m-m9rf-8gvv
Malware in color-name - GHSA-m99c-cfww-cxqx
Malware in debug - GHSA-8mgj-vmr8-frr6
Malware in is-arrayish - GHSA-hfm8-9jrf-7g9w

[icyJoseph]

Yes, basically, anything owned by the person who got attacked is now flagged.

Package
 color-convert (
[npm](https://github.com/advisories?query=ecosystem%3Anpm)
)
Affected versions
>= 0
Patched versions
None

All versions affected as per report.

[icyJoseph]

Without ESLint, you'd still get 3 vulnerable audits, through sharp, if I understand correctly.

[icyJoseph]

Looks like the security reports are starting to stabilize versions, beyond, >= 0 - let's wait and see if we end up in a good state -

[lluz]

Seems the problem has been addressed.
NPM clean install now states:
found 0 vulnerabilities