Dependencies have high severity vulnerabilities

[ashelman-ec]

Trying to follow the hapipal Getting Started tutorial, but ran into these issues:

1. npm init @hapipal does not work on Windows, see today's comments in hapipal.com issue #72
2. trying instead to use the workaround given in that issue, we are still left with the following dependency problems

> npm install
npm WARN deprecated babel-eslint@10.1.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates.
npm WARN deprecated @hapi/eslint-config-hapi@13.0.2: This module has moved and is now available as part of @hapi/eslint-plugin. Please update your dependencies as this version is no longer maintained and may contain bugs and security issues.
npm WARN deprecated @hapi/eslint-plugin-hapi@4.3.6: This module has moved and is now available at @hapi/eslint-plugin. Please update your dependencies as this version is no longer maintained and may contain bugs and security issues.

added 295 packages, and audited 296 packages in 40s

35 packages are looking for funding
  run `npm fund` for details

3 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Manually editing package.json to replace"babel-eslint": "10.x.x" with "@babel/eslint-parser": "7.x.x" quiets one of the warnings (but I don't know whether this newer version has any breaking changes and will actually work correctly)

But that still leaves the security vulnerabilities:

s> npm audit fix

up to date, audited 286 packages in 3s

32 packages are looking for funding
  run `npm fund` for details

# npm audit report

marked  <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Regular Expression Denial of Service (REDoS) in Marked - https://github.com/advisories/GHSA-4r62-v4vq-hr96
No fix available
node_modules/marked
  @hapipal/hpal  *
  Depends on vulnerable versions of marked
  Depends on vulnerable versions of marked-terminal
  node_modules/@hapipal/hpal
  marked-terminal  <=4.2.0
  Depends on vulnerable versions of marked
  node_modules/marked-terminal

3 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

[ashelman-ec]

I see this is the same as boilerplate issue #99.

I am too new to Javascript & hapi to submit a PR at this time, though might be competent enough in a couple months...

[ashelman-ec]

Hmm linting is broken and not sure how to fix it...

[Nargonath]

How is linting broken? Did you mean in your own project or while contributing to hapipal?

[ashelman-ec]

I mean, once I reached this part of the tutorial, npm run lint failed, as below.

Note that, per the deprecation warnings at the top of this issue, I had modified package.json and .eslintrc.json from @hapi/eslint-plugin-hapi to @hapi/eslint-plugin. Not sure if that was the correct thing to do...

> npm run lint

> hapipal-boilerplate@3.0.0 lint
> eslint .


Oops! Something went wrong! :(

ESLint: 7.32.0

ESLint couldn't find the config "@hapi/eslint-plugin" to extend from. Please check that the name of the config is correct.

The config "@hapi/eslint-plugin" was referenced from the config file in "C:\Users\...\paldo-riddles\.eslintrc.json".

If you still have problems, please stop by https://eslint.org/chat/help to chat with the team.

[Nargonath]

Ok, thanks @ashelman-ec for the explanation. Not sure what's the problem though. I'd have to check for myself. I don't have much available bandwidth right now, so I'm not sure when I'll be able to do that.