Deprecation warnings & vulnerabilities in 2.3.3

[jasonpolites]

On the latest build (2.3.3) npm blurts out a bunch of deprecation warnings, and ends with a note about vulnerabilities

npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: The major version is no longer supported. Please update to 4.x or newer

+ [email protected]
added 528 packages from 445 contributors and audited 9720 packages in 82.32s
found 14 vulnerabilities (2 low, 4 moderate, 8 high)

Running npm audit shows that all the high [importance] vulnerabilities are from minimatch, a dependency of vinyl-fs

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp > vinyl-fs > glob-stream > glob >         │
│               │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I couldn't find a report of this issue, but apologies if this is a dupe

[JamesCraster]

Unfortunately this is still occurring in 2.4.2, would it be possible to update minimatch beyond 3.0.2?

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp > vinyl-fs > glob-stream > glob >         │
│               │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp > vinyl-fs > glob-stream > minimatch      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >        │
│               │ globule > glob > minimatch                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >        │
│               │ globule > minimatch                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-ui > gulp > vinyl-fs > glob-watcher > gaze >        │
│               │ globule > lodash                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I'm concerned that in the future contributors might be confused by these errors.

[leo-bo]

Dear @jlukic, would it be possible to update minimatch to a version >=3.0.2 in an upcoming maintenance release? I came across the same problem as @jasonpolites and @JamesCraster and even github is now complaining:

[leo-bo]

Thanks for the hint @lubber-de! Could you tell if fomantic-ui is compatible with semantic-ui-react same way as semantic-ui is? Or is there a compatible alternative (fomantic-ui-react maybe?) ?

[haithamelmengad]

+1 here