25 critical, 22 high security vulnerabilities in the code (or referenced libs)

[KRBTy]

Doing an npm install on the current (latest) state of the repo outputs the following colorful warning:

62 vulnerabilities (4 low, 10 moderate, 22 high, 26 critical)

Doing an npm audit fix reduces the number a little:

57 vulnerabilities (10 moderate, 22 high, 25 critical)

Shouldn't we warn the community to avoid running this code publicly until these KNOWN vulnerabilities are taken care of?

[maxime-morel]

Update on September 2025:
67 vulnerabilities (8 low, 10 moderate, 22 high, 27 critical)

[csawyerYumaed]

Just because they exist, doesn't mean they apply to this codebase. I encourage you to do some work to see if these even apply to this code base. If they do apply, please send a PR to fix it!

The lazy option: What happens when you just up the dependencies to the newest versions(presumably without the vulns)?

[maxime-morel]

Hello @csawyerYumaed ,

agreed: advisories don’t automatically mean exploitable issues here.

I ran npm audit fix and --force to measure the impact; the forced bumps jump multiple majors and break the build (webpack config like devServer/IgnorePlugin). I fixed a few local errors, but the upgrade surface is large and I stopped there.

We can check whether the high/critical advisories are actually reachable; ultimately, the right move is to keep dependencies up to date.

[csawyerYumaed]

I agree it's good practice to keep dependencies up to date, but so far it doesn't seem anyone's willing to do the work.

I'm not currently a JS developer. I love the tool and use it daily though.

[timvisee]

Sorry for being a bit lacking on updating dependencies. It is because it is a never ending effort (across many projects), and I have a lot of other stuff to focus on. 😄

Though, I do keep track of potential vulnerabilities and bump dependencies if strictly required to get rid of them.

Please feel free to open a PR to bump dependencies, even if it's just a few of them.

[maxime-morel]

Hello @timvisee

Though, I do keep track of potential vulnerabilities and bump dependencies if strictly required to get rid of them.

That's reassuring. Thanks for the clarification.

I just started testing Send and it's definitely an interesting project. I'll try to help with the dependencies.

[maxime-morel]

I opened a PR that cleans up some of the dependency noise and fixes the dev server on Node 16.

• Updated common/assets.js so WDS v4 works again
• Bumped @sentry/browser + extract-loader
• Dropped css-mqpacker (unmaintained)

Before:

67 vulnerabilities (8 low, 10 moderate, 22 high, 27 critical)

After that:

34 vulnerabilities (1 moderate, 8 high, 25 critical)

Note that all the vulnerabilities (even before the bumps) were only linked to dev dependencies:

npm audit --omit=dev
found 0 vulnerabilities

Also I used an override to bypass the webpack 5 upgrade

  "overrides": {
    "webpack-dev-middleware": "^5.3.4",
    "follow-redirects": "^1.15.11",
    "shell-quote": "^1.8.3",
    "micromatch": "^4.0.8",
    "braces": "^3.0.3",
    "dns-packet": "^5.6.1",
    "selfsigned": "^2.4.1"
  },

I'm not sure that's a best practice, I'm not a node developer.

There are still dev-only warnings coming from the Webpack 4 stack, but the only real fix there would be moving to Webpack 5 + WDS 5. This PR keeps things stable without big changes.