NativeScript 8.0.0: NPM vulnerabilites switching between "3 high" to "30 high"

Question

I am currently working on a NativeScript project that uses NativeScript core ~8.0.0 and I just ran an npm install and realized that there are 3 high vulnerabilities. When I try to fix them using npm audit fix (even with --force flag) I end up having 30 hight vulnerabilites. Again npm audit fixleads to the original 3 high again.

These seem to be due to @nativescript/webpack:5.0.0 which is the current version but relies on a vulnerable version of @pmmmwh/react-refresh-webpack-plugin.

Any ideas on how to solve this problem?

Here is the detailed output of npm audit:

Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install @nativescript/webpack@4.1.0, which is a breaking change
node_modules/ansi-html
  @pmmmwh/react-refresh-webpack-plugin  <=0.5.0-rc.6
  Depends on vulnerable versions of ansi-html
    @nativescript/webpack  >=5.0.0-alpha.0
    Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
    node_modules/@nativescript/webpack

score 0 · Answer 1 · answered Nov 10 '21 at 18:32

0

Nervermind, ns migrate did the trick.

Still if anyone is facing a similar problem with the ansi-html package there is a solution for that in this answer.

answered Nov 10 '21 at 18:32

luke1110

73
5

NativeScript 8.0.0: NPM vulnerabilites switching between "3 high" to "30 high"

1 Answers1