[@wordpress/script]jest-dev-server has some severity vulnerabilities

[stein2nd]

Description

The "npm audit" just said severity vulnerabilities:

axios 0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install @wordpress/[email protected], which is a breaking change
node_modules/axios
wait-on >=5.0.0-rc.0
Depends on vulnerable versions of axios
node_modules/wait-on
jest-dev-server >=5.0.0
Depends on vulnerable versions of wait-on
node_modules/jest-dev-server
@wordpress/scripts >=18.1.0
Depends on vulnerable versions of jest-dev-server
node_modules/@wordpress/scripts

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Step-by-step reproduction instructions

Delete the "node_modules" folder and "package-lock.json".
Next, execute "ncu", "ncu -u", "npm install --force", and "npm audit" in order.

Screenshots, screen recording, code snippet

Environment info

System:

• OS: macOS 14.1.1
• CPU: (12) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
• Memory: 135.64 MB / 32.00 GB
• Shell: 3.2.57 - /bin/bash

Binaries:

• Node: 21.1.0 - ~/.nodebrew/current/bin/node
• Yarn: 1.22.19 - ~/.nodebrew/current/bin/yarn
• npm: 10.2.3 - ~/.nodebrew/current/bin/npm
• pnpm: 8.6.12 - ~/.nodebrew/current/bin/pnpm

npmPackages:

• @wordpress/scripts: ^26.16.0 => 26.16.0

Please confirm that you have searched existing issues in the repo.

Yes

Please confirm that you have tested with all plugins deactivated except Gutenberg.

No

[galbus]

In our plugin repo Dependabot reports this vulnerability, and it cannot cannot create a security update to fix it.

Dependabot cannot update axios to a non-vulnerable version
The latest possible version that can be installed is 0.25.0 because of the following conflicting dependency:

@wordpress/[email protected] requires axios@^0.25.0 via a transitive dependency on [email protected]

We tried temporarily switching from yarn to npm and running the suggested npm audit fix --force command, but for our project this only resulted in many more security vulnerabilities being reported (27 new ones).