Github dependabot alerts when including Fomantic using npm #2936

fnagel · 2023-11-07T21:28:12Z

fnagel
Nov 7, 2023

I'm using following package.json in order to including Fomantic in my custom Symfony project. The Github repository of the project has Github dependabot security alerts. It looks like its caused by the"fomantic-ui" dependency. Any ideas what I'm doing wrong here?

{
  "scripts": {
    "postinstall": "cd node_modules/fomantic-ui && npx gulp install",
    "build": "npx gulp build --cwd=semantic",
    "watch": "npx gulp watch --cwd=semantic"
  },
  "dependencies": {
    "fomantic-ui": "^2.9.3",
...

Answered by lubber-de

Nov 8, 2023

This is a subdependency of gulp which is ignored by the gulp developers as they declare this as a false positive explained via
https://overreacted.io/npm-audit-broken-by-design/
gulpjs/gulp#2640

Same as #1646

So as long as nobody fixes the original libs or forks them and/or fixes gulp or rewrites the whole build system this won't get fixed. But infact those affect the local instance only as described in the external link above.

I, however, was already trying to fork and fix all affected external and abandoned dependencies, some time ago, but this ain't an easy/motivating task and isnt finished. If interested those packages are here https://www.npmjs.com/search?q=%40fomantic

View full answer

lubber-de · 2023-11-08T19:18:22Z

lubber-de
Nov 8, 2023
Maintainer

This is a subdependency of gulp which is ignored by the gulp developers as they declare this as a false positive explained via
https://overreacted.io/npm-audit-broken-by-design/
gulpjs/gulp#2640

Same as #1646

So as long as nobody fixes the original libs or forks them and/or fixes gulp or rewrites the whole build system this won't get fixed. But infact those affect the local instance only as described in the external link above.

I, however, was already trying to fork and fix all affected external and abandoned dependencies, some time ago, but this ain't an easy/motivating task and isnt finished. If interested those packages are here https://www.npmjs.com/search?q=%40fomantic

1 reply

fnagel Nov 13, 2023
Author

Hi @lubber-de, thanks for the detailed response. That is actually quiet sad to ~~here~~ read, especially as the blog post is already more than two years old. It would be interesting if Grunt has the same issues...

Sounds like this is something that will not be solved at all (or anything soon), but as its seems not to be a real security issue in the actual public code I assume I will just ignore those Github alerts.

Thanks for you answer and the effort you put into Fomantic! <3

lubber-de · 2024-05-09T19:26:39Z

lubber-de
May 9, 2024
Maintainer

gulp5 was upgraded by #3032
all other plugings have been upgraded by #3047

The remaining/new 2 moderate warnings will be fixed in FUI 2.10.0 when node 12 is dropped

2 replies

fnagel Nov 7, 2024
Author

Thanks for the update!

Is there a roadmap for a new release? My client would be very happy if the security alerts are gone :-)

lubber-de Nov 7, 2024
Maintainer

Asap. In the meantime you can use the nightly beta which is available on npm as well

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Github dependabot alerts when including Fomantic using npm #2936

{{title}}

Replies: 2 comments 3 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Github dependabot alerts when including Fomantic using npm #2936

fnagel Nov 7, 2023

Replies: 2 comments · 3 replies

lubber-de Nov 8, 2023 Maintainer

fnagel Nov 13, 2023 Author

lubber-de May 9, 2024 Maintainer

fnagel Nov 7, 2024 Author

lubber-de Nov 7, 2024 Maintainer

fnagel
Nov 7, 2023

Replies: 2 comments 3 replies

lubber-de
Nov 8, 2023
Maintainer

fnagel Nov 13, 2023
Author

lubber-de
May 9, 2024
Maintainer

fnagel Nov 7, 2024
Author

lubber-de Nov 7, 2024
Maintainer