Security Warnings for 11ty Dependencies

[trey]

I've been seeing "Potential security vulnerability" warnings in GitHub for my 11ty projects. They relate to the acorn and minimist dependencies.

Here's the information these warnings link to:
GHSA-7fhm-mqm4-2wp7

Would it be possible to get 11ty updated to remove these potential vulnerabilities?

[Ryuno-Ki]

Related to #1023.

[zachleat]

Thanks for opening this! Updated for 0.11.0.

In the future I’d love to keep these specific to the package listed in the npm audit entry so we can track individual packages updates separately.

See #1026 for an example.

[trey]

@zachleat Ahh, cool. Will do! Thanks for letting me stumble through that and giving me feedback!

[matthewp]

I don't think this is fixed, there's still the problem with acorn and that comes from pug.

├─┬ @11ty/eleventy@0.11.0-beta.2
│ └─┬ pug@2.0.4
│   ├─┬ pug-code-gen@2.0.2
│   │ └─┬ with@5.1.1
│   │   ├── acorn@3.3.0
│   │   └─┬ acorn-globals@3.1.0
│   │     └── acorn@4.0.13
│   └─┬ pug-lexer@4.1.0
│     └─┬ is-expression@3.0.0
│       └── acorn@4.0.13

[dixonge]

So how do I fix this in the meantime? Manually edit package-lock.json? Remove/regenerate it?

[trey]

Good question.

[Ryuno-Ki]

So … normally, you can find a security bullet at Snyk, where they describe how to mitigate those security vulnerabilities - if a patch is available / possible.
Otherwise, follow the repo of the offending package and ask the maintainer to publish a new version with the fix, so it can bubble up the dependency chain.

A third option could be to switch out the dep. Hardly possible here, I guess.

[dixonge]

So, for those of us who are not programmers ... ?

[Ryuno-Ki]

Sit and wait.

[matthewp]

If you're not using Pug then this vulnerability doesn't affect you. So if your concern is the security warning that GitHub shows you can dismiss it as not relevant to your project.

[dixonge]

I am not using Pug. It's just annoying...

[zachleat]

Created a new npm-audit label for these types of issues. The applicable ones for this issue are resolved with the 0.11.0 release. A new one cropped up and was filed at #1164

These are likely just to be ongoing maintenance things that are part of npm and are actually a good thing! So don’t despair that these keep cropping up. If you’re using Eleventy as a static site (and not running browser-sync in production), these are unlikely to expose you to any major security issues on your website.