Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

dev.khosromanesh's avatar

lots of vulnerability using NPM

i just installed Vue using vue cli , problem is i got so many vulnerabilities for example iused this command npm install --save vue-markdown and get this :

npm WARN deprecated [email protected]: Support has ended for 9.x series. Upgrade to @latest

added 23 packages, and audited 1297 packages in 57s

88 packages are looking for funding
  run `npm fund` for details

73 vulnerabilities (2 low, 59 moderate, 12 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

what should i do

0 likes
10 replies
Sinnbeck's avatar

First try and let npm handle what it can

npm audit fix

or if you can roll back in case it breaks

npm audit fix --force

If there are still more after this npm audit to see what the errors are

And yes these are the exact things suggested in the error message, but I assume you havent tried any of them

dev.khosromanesh's avatar

@Sinnbeck i run npm audit and here is full log :

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install @vue/[email protected], which is a breaking change
node_modules/cliui/node_modules/ansi-regex
node_modules/ora/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/cliui/node_modules/strip-ansi
  node_modules/ora/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi
  node_modules/wrap-ansi/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/webpack-dev-server/node_modules/yargs
        webpack-dev-server  2.0.0-beta - 4.7.2
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of selfsigned
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
          @vue/cli-service  *
          Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
          Depends on vulnerable versions of @vue/cli-plugin-router
          Depends on vulnerable versions of @vue/component-compiler-utils
          Depends on vulnerable versions of copy-webpack-plugin
          Depends on vulnerable versions of css-loader
          Depends on vulnerable versions of cssnano
          Depends on vulnerable versions of globby
          Depends on vulnerable versions of webpack-dev-server
          node_modules/@vue/cli-service
    ora  2.0.0 - 4.0.2
    Depends on vulnerable versions of strip-ansi
    node_modules/ora
      @vue/cli-shared-utils  <=4.5.15
      Depends on vulnerable versions of ora
      node_modules/@vue/cli-shared-utils
        @vue/cli-plugin-router  <=4.5.15
        Depends on vulnerable versions of @vue/cli-shared-utils
        node_modules/@vue/cli-service/node_modules/@vue/cli-plugin-router
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui/node_modules/string-width
    node_modules/webpack-dev-server/node_modules/string-width
    node_modules/wrap-ansi/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/wrap-ansi

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @vue/[email protected], which is a breaking change
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      @vue/cli-service  *
      Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
      Depends on vulnerable versions of @vue/cli-plugin-router
      Depends on vulnerable versions of @vue/component-compiler-utils
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of css-loader
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
No fix available
node_modules/markdown-it
  vue-markdown  *
  Depends on vulnerable versions of markdown-it
  node_modules/vue-markdown

node-forge  <1.0.0
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
fix available via `npm audit fix --force`
Will install @vue/[email protected], which is a breaking change
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      @vue/cli-service  *
      Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
      Depends on vulnerable versions of @vue/cli-plugin-router
      Depends on vulnerable versions of @vue/component-compiler-utils
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of css-loader
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  <=5.0.0-rc.2
      Depends on vulnerable versions of postcss
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install @vue/[email protected], which is a breaking change
node_modules/postcss
  @intervolga/optimize-cssnano-plugin  *
  Depends on vulnerable versions of cssnano
  Depends on vulnerable versions of postcss
  node_modules/@vue/cli-service/node_modules/@intervolga/optimize-cssnano-plugin
    @vue/cli-service  *
    Depends on vulnerable versions of @intervolga/optimize-cssnano-plugin
    Depends on vulnerable versions of @vue/cli-plugin-router
    Depends on vulnerable versions of @vue/component-compiler-utils
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@vue/cli-service
  @vue/component-compiler-utils  *
  Depends on vulnerable versions of postcss
  node_modules/@vue/component-compiler-utils
    vue-loader  15.0.0-beta.1 - 15.9.8
    Depends on vulnerable versions of @vue/component-compiler-utils
    node_modules/vue-loader
  autoprefixer  1.0.20131222 - 9.8.8
  Depends on vulnerable versions of postcss
  node_modules/autoprefixer
  css-declaration-sorter  <=5.1.2
  Depends on vulnerable versions of postcss
  node_modules/css-declaration-sorter
  css-loader  0.15.0 - 4.3.0
  Depends on vulnerable versions of icss-utils
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-modules-values
  node_modules/@vue/cli-service/node_modules/css-loader
  cssnano  <=4.1.11
  Depends on vulnerable versions of cssnano-preset-default
  Depends on vulnerable versions of postcss
  node_modules/cssnano
  cssnano-preset-default  <=4.0.8
  Depends on vulnerable versions of postcss
  node_modules/cssnano-preset-default
  cssnano-util-raw-cache  *
  Depends on vulnerable versions of postcss
  node_modules/cssnano-util-raw-cache
  icss-utils  <=4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  <=4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  <=4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-calc  4.1.0 - 7.0.5
  Depends on vulnerable versions of postcss
  node_modules/postcss-calc
  postcss-colormin  <=4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-colormin
  postcss-convert-values  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-convert-values
  postcss-discard-comments  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-comments
  postcss-discard-duplicates  1.1.0 - 4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-duplicates
  postcss-discard-empty  1.1.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-empty
  postcss-discard-overridden  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-discard-overridden
  postcss-loader  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-loader
  postcss-merge-longhand  <=4.0.11
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of stylehacks
  node_modules/postcss-merge-longhand
  postcss-merge-rules  <=4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-merge-rules
  postcss-minify-font-values  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-font-values
  postcss-minify-gradients  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-gradients
  postcss-minify-params  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-params
  postcss-minify-selectors  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-minify-selectors
  postcss-modules-extract-imports  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  <=2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope
  postcss-normalize-charset  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-charset
  postcss-normalize-display-values  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-display-values
  postcss-normalize-positions  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-positions
  postcss-normalize-repeat-style  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-repeat-style
  postcss-normalize-string  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-string
  postcss-normalize-timing-functions  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-timing-functions
  postcss-normalize-unicode  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-unicode
  postcss-normalize-url  1.1.0 - 4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-url
  postcss-normalize-whitespace  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-normalize-whitespace
  postcss-ordered-values  <=4.1.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-ordered-values
  postcss-reduce-initial  <=4.0.3
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-initial
  postcss-reduce-transforms  <=4.0.2
  Depends on vulnerable versions of postcss
  node_modules/postcss-reduce-transforms
  postcss-svgo  <=5.0.0-rc.2
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of svgo
  node_modules/postcss-svgo
  postcss-unique-selectors  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/postcss-unique-selectors
  stylehacks  <=4.0.3
  Depends on vulnerable versions of postcss
  node_modules/stylehacks

67 vulnerabilities (2 low, 58 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

what should i do ?

dev.khosromanesh's avatar

@Sinnbeck run it several times and get error :

E:\xampp 8\htdocs\rcf\frontend>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit No fix available for vue-markdown@*
npm WARN audit Updating @vue/cli-service to 3.12.1,which is a SemVer major change.
npm ERR! code ETARGET
npm ERR! notarget No matching version found for @vue/[email protected].
npm ERR! notarget In most cases you or one of your dependencies are requesting
npm ERR! notarget a package version that doesn't exist.

npm ERR! A complete log of this run can be found in:
npm ERR!     C:\Users990\AppData\Local\npm-cache\_logs22-02-17T09_22_16_354Z-debug-0.log
dev.khosromanesh's avatar

@Sinnbeck only 6 vulnerabilities solved and others are exist

another problem comes is npm run serve got error too after run npm audit fix --force

Sinnbeck's avatar

@dev.khosromanesh Yeah there is always a chance of things breaking as you are force updating packages. That is why I originally said

or if you can roll back in case it breaks

But for the rest, you need to see if there is a newer version of each package, or check the issue tracker on their github page, for fixes

1 like

Please or to participate in this conversation.