Installing expo-cli with Node 14.15.5 (Latest Active LTS) high severity errors

[markojak]

I just started using Expo with the hope of using it to develop some apps. When first installing the Expo-CLI and trying to get the first project up with Node 14.15.5 which is the latest active LTS I get a variety of errors.

It forces me to ask the question: Is this project still well maintained or falling into disrepair?

Alternative I'm doing something wrong and I'd appreciate the assistance...

 $ npm install --global expo-cli
npm WARN deprecated topo@2.0.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated @hapi/pinpoint@2.0.0: Moved to 'npm install @sideway/pinpoint'
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated @hapi/formula@2.0.0: Moved to 'npm install @sideway/formula'
npm WARN deprecated hoek@4.2.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated @hapi/address@4.1.0: Moved to 'npm install @sideway/address'
npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.
npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated joi@11.4.0: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated @hapi/joi@17.1.1: Switch to 'npm install joi'
npm WARN deprecated core-js@2.6.12: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.

added 1900 packages, and audited 1901 packages in 39s

110 packages are looking for funding
  run `npm fund` for details

7 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

[brentvatne]

i ran npm audit for expo-cli@4.1.6:

╭─~/code/testingaudit
╰─$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution in node-forge                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ node-forge                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 0.10.0                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo-cli                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo-cli > @expo/xdl > node-forge                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1561                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo-cli                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo-cli > @expo/xdl > @expo/webpack-config >                │
│               │ react-dev-utils > immer                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo-cli                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo-cli > @expo/xdl > react-dev-utils > immer               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ immer                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=8.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo-cli                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo-cli > react-dev-utils > immer                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1603                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 high severity vulnerabilities in 1836 scanned packages
  4 vulnerabilities require manual review. See the full report for details.

this is all "prototype pollution", mainly based on our dependency on react-dev-utils (a shared package used by create-react-app). prototype pollution could lead to vulnerabilities if the code is running on a web server, but you're not going to have any issues with this in the context of expo-cli. learn more about prototype pollution: https://github.com/Kirill89/prototype-pollution-explained

we need to wait for react-dev-utils to update their immer dependency to resolve these warnings: facebook/create-react-app#10578

the one that we can control is node-forge. we don't actually use any of the impacted methods (see the changelog), so on top of there not being any attack vector due to the nature of expo-cli, there is no usage of impacted code. i opened a pr to bump the version anyways: #3252

---

so, tl;dr: this is nothing to be concerned about, npm has no way of detecting if the usage of the listed libraries actually exposes the developers to any vulnerabilities, and they do not in this case. you will likely see this same warning in many larger projects right now because some new prototype pollution advisories were created on npm yesterday and it takes time to update impacted libraries.

[ide]

One thing I would add is that all security is relative to a threat model.

A package that is highly vulnerable in one context may be 100% secure in another context. Specifically, many packages consider DoS to be a vulnerability in the context of being run on a high-traffic web server, which usually doesn’t apply to a local CLI tool.

[brentvatne]

+ expo-cli@4.2.1
added 1816 packages from 792 contributors and audited 1816 packages in 62.384s

110 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities