11ty getting started installs very old verison bc of security vulnerabilities

[pracplayopen]

Describe the bug

In april installed 11ty using getting started guide.

Was able to get things working well and quickly, but recently discovered getting started guide installed a version old version.

To Reproduce
Run a recent node, then Follow getting started guide.

Expected behavior

Latest stable release of 11ty should install.

Environment:

$ node --version
v14.19.1

getting started install date:

$ ls -ld README.md 
-rw-rw-r-- 1 xxxxxxxx yyyyyyyyyy 0 Apr 12 12:13 README.md

Additional context

here is what shows up after install :

$ npm outdated
Package         Current  Wanted  Latest  Location                     Depended by
@11ty/eleventy   0.11.1  0.11.1   1.0.1  node_modules/@11ty/eleventy 

$ npm update @11ty/eleventy

up to date, audited 377 packages in 1s

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix --force`


Will install @11ty/eleventy@1.0.1, which is a breaking change
node_modules/markdown-it
  @11ty/eleventy  <=0.12.1
  Depends on vulnerable versions of markdown-it
  Depends on vulnerable versions of pug
  node_modules/@11ty/eleventy

pug  <3.0.1
Severity: high
Remote code execution via the `pretty` option. - https://github.com/advisories/GHSA-p493-635q-r6gr
fix available via `npm audit fix --force`
Will install @11ty/eleventy@1.0.1, which is a breaking change
node_modules/pug

originally discoved via issue

[pdehaan]

@pracplayopen Are you referring to https://www.11ty.dev/docs/getting-started/?

[pracplayopen]

yup

[pdehaan]

I'm not sure how it would have reverted to 0.11.1 (circa 2020-10-22).

npm info @11ty/eleventy time --json | grep "0.11.1"
#  "0.11.1": "2020-10-22T18:40:22.846Z",

I tried the Getting Started docs (local install, I don't like -g global installs) locally on my macOS 12.x laptop and it gave me 1.0.1; which is the latest stable version.

npm init -y
npm i -D @11ty/eleventy

added 322 packages, and audited 323 packages in 7s

26 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities


$(npm bin)/eleventy --version
# 1.0.1

Did you ever previously install Eleventy? Curious if you possibly had some old global install of Eleventy on your machine that it reverted to instead of grabbing the latest from npm. (npm ls -g --depth 0)

But I don't think I've ever seen npm switch to an older version of a package due to security audits.

npm version --json | jq '{npm:.npm, node:.node}'
{
  "npm": "8.5.0",
  "node": "16.14.2"
}

[pracplayopen]

strange. never heard of 11ty before a few weeks ago.
the machine it's running on is less than a year old.

ran install again and it worked this time.

don't have enough experience w/npm to offer much insight.

can run more tests if you want more info but i'm gonna close this ticket.

appreciate all help thx.

$ npm i -D @11ty/eleventy
npm WARN idealTree Removing dependencies.@11ty/eleventy in favor of devDependencies.@11ty/eleventy

added 29 packages, removed 61 packages, changed 58 packages, and audited 341 packages in 6s

35 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ npx @11ty/eleventy --version
1.0.1

other info:

$ (npm ls -g --depth 0)
/usr/local/lib
└── npm@8.6.0
$ npm version --json | jq '{npm:.npm, node:.node}'
{
  "npm": "8.6.0",
  "node": "14.19.1"
}

[zachleat]

npm audit fix sometimes downgrades the package, which is almost never what you want.

I can confirm that the browser-sync dependency audits were fixed upstream, which is likely why it’s working now—it isn’t warning you or recommending npm audit fix. #2327

[pracplayopen]

ok so that probably explains what happens, thank you.