jest: Npm audit failing for jest 24.8.0 with severity high on 26k+ dependencies
π Bug Report
Npm audit failing for jest 24.8.0 with severity high on 26k+ dependencies
To Reproduce
mkdir new-project && cd new-project
npm init -y
npm install --save jest@24.8.0
npm audit
Should produce the following output:
+ jest@24.8.0
added 547 packages from 362 contributors and audited 873711 packages in 15.659s
found 12675 high severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
Also see attached npm audit report in JSON format
πnpm_audit_output.json.zip
Expected behavior
N/D
Link to repl or repo (highly encouraged)
N/D
Run npx envinfo --preset jest
Paste the results here:
System:
OS: macOS High Sierra 10.13.6
CPU: (8) x64 Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz
Binaries:
Node: 12.4.0 - ~/n/bin/node
npm: 6.9.2 - ~/n/bin/npm
npmPackages:
jest: ^24.8.0 => 24.8.0
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 37
- Comments: 15 (4 by maintainers)
Upgrading micromatch to v4 (breaking) is planned for Jest 25, for performance reasons as well
npm audit fixfixes the problemSame issue here
If
npm audit fixfixes the problem, it means all fixed packages are within semver range of Jest and its dependencies. So I think we can close this.(Happy to take PRs increasing the minimum version of Jestβs deps if it helps pull in upstream fixes when we do make a release)
Great to see the community moved so fast on this! Thanks to everyone involved
Same here, set-value has been reported as vulnerable since past friday
Would it be possible to upgrade
micromatchto version ^4? Seems this version removes a dependency onsnapdragonwhich hasmixin-deepin its chain. Seems there are a lot of jest-* packages that have micromatch 3 as a dependency though.Edit: Might not be able to since micromatch 4 requires node 8.