Publish new version resolving deep-extend vulnerability?

[rwjblue]

Installing fsevents (generally through other tools like sane or chokidar) currently emits a warning.

This warning is referencing fsevents > node-pre-gyp > rc > deep-extend as the dependency chain. An updated version of deep-extend and rc are available, and would be used under normal circumstances, but since this library bundles node-pre-gyp (changing that seems to be tracked in #157) downstream consumers cannot resolve this vulnerability warning until fsevents is published again.

Expand for full warning text

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ chokidar                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ chokidar > fsevents > node-pre-gyp > rc > deep-extend        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 1 vulnerability found - Packages audited: 1228 (0 dev, 97 optional)
    Severity: 1 Low

---

Note:

I realize there have been many issues reported here around these vulnerability warnings (#198, #200, #205, etc), and I am sorry that this will likely seem like "just more noise". I am hopeful that the details above make it clear that this isn't a duplicate and hopefully makes addressing this one easier.

[brettz9]

And this can be confirmed without installing fsevents as a dependency by running npm audit (with a recent update to npm) on the local repository.

[bnoordhuis]

Thanks for the report but see #219 (comment).

[rwjblue]

As explained in the issue description, all downstream packages already allow for the most recent versions of rc and deep-extend. However, since node-pre-gyp is a bundled dependency end users of fsevents will not get those updates until a maintainer updates locally (e.g. rm-rf node_modules && npm install) and publishes a patch release.

This does not require patch releases of node-pre-gyp, rc, or deep-extend.

[rwjblue]

As confirmation, try the following:

git clone git@github.com:strongloop/fsevents.git
cd fsevents
npm install
npm ls deep-extend

You will see that we get the following already (without any changes to this repo):

❯ npm ls deep-extend 
fsevents@1.2.4 /Users/rjackson/src/open-source/fsevents
└─┬ node-pre-gyp@0.10.0
  └─┬ rc@1.2.7
    └── deep-extend@0.5.1

---

Another example:

mkdir foo
cd foo
npm init -y
npm install fsevents@1.2.3
npm audit

This emits the warning I reported in the issue description.

[rwjblue]

FWIW, @es128 just published 1.2.4 bumping to node-pre-gyp@0.10.0, which did fix this issue (thank you @es128!!). However that version bump was not required to solve this warning.

[es128]

@rwjblue correct, it just needed new bundling, but I took the opportunity to bump anyway.