OSS Gate Workshop: online: 2021-10-30: kaiyu-tech: Vue CLI: Work log

[kaiyu-tech]

This is a work log of a "OSS Gate workshop".
"OSS Gate workshop" is an activity to increase OSS developers.
Here's been discussed in Japanese. Thanks.

作業ログ作成時の説明

以下のテンプレートを埋めてタイトルに設定します。埋め方例はスクロールすると見えてきます。

OSS Gate Workshop: ${LOCATION}: ${YEAR}-${MONTH}-${DAY}: ${ACCOUNT_NAME}: ${OSS_NAME}: Work log

タイトル例↓：

OSS Gate Workshop: Tokyo: 2017-01-16: kou: Rabbit: Work log

OSS Gateワークショップ関連情報

• スライド：ワークショップの進行に使っているスライドがあります。
• チャット：OSS開発に関することならなんでも相談できます。ワークショップが終わった後もオンラインで相談しながら継続的にOSSの開発に参加しましょう！
• シナリオ：ワークショップの目的・内容・進め方の詳細が書いています。
• 過去のビギナーの作業ログ：他の人の作業ログから学べることがいろいろあるはずです。

[kaiyu-tech]

Vue CLIをやってみようと思います。
https://cli.vuejs.org/

上記ページのフッターにMIT Licensedと書かれている。
https://opensource.org/licenses/alphabetical
の一覧の中に「MITライセンス」があるので、これはOSSと思われる。

[kaiyu-tech]

トップページにGetting Startedがあるのでそれを実行してみる。

[kaiyu-tech]

npm install -g @vue/cli

vue create my-project

[kaiyu-tech]

npm install -g @vue/cliを実行すると以下のようなワーニングが出る。
既におかしいような気もするのですが、もう一つのコマンドも入力してみます。

$ npm install -g @vue/cli
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details
npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead

added 1 package, changed 943 packages, and audited 945 packages in 1m

65 packages are looking for funding
  run `npm fund` for details

23 vulnerabilities (4 moderate, 19 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

[kaiyu-tech]

Default ([Vue 2] babel, eslint)を選択しました。

$ vue create my-project


Vue CLI v4.5.15
? Please pick a preset: (Use arrow keys)
❯ Default ([Vue 2] babel, eslint) 
  Default (Vue 3) ([Vue 3] babel, eslint) 
  Manually select features 

[kaiyu-tech]

Default ([Vue 2] babel, eslint)を選択後のメッセージです。

$ vue create my-project


Vue CLI v4.5.15
? Please pick a preset: Default ([Vue 2] babel, eslint)


Vue CLI v4.5.15
✨  Creating project in ~/work/oss-gate/my-project.
🗃  Initializing git repository...
⚙️  Installing CLI plugins. This might take a while...


added 1286 packages, and audited 1287 packages in 1m

83 packages are looking for funding
  run `npm fund` for details

43 vulnerabilities (18 moderate, 25 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
🚀  Invoking generators...
📦  Installing additional dependencies...


added 49 packages, and audited 1336 packages in 20s

88 packages are looking for funding
  run `npm fund` for details

45 vulnerabilities (20 moderate, 25 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
⚓  Running completion hooks...

📄  Generating README.md...

🎉  Successfully created project my-project.
👉  Get started with the following commands:

 $ cd my-project
 $ npm run serve

[hata6502]

npm audit fix --force を実行したときのログも、いただけるとうれしいです。

[kaiyu-tech]

メッセージに以下のようにあるので、

To address all issues possible (including breaking changes), run:
  npm audit fix --force

作成したプロジェクトのディレクトリに移動して、

$ cd my-project

以下を実行してみる。

$ npm audit fix --force

[kaiyu-tech]

実行結果として以下のようにメッセージが出る。
結果としてワーニングは解消されないようである。

$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating eslint to 8.1.0,which is a SemVer major change.
npm WARN audit Updating @vue/cli-service to 3.12.1,which is a SemVer major change.
npm WARN audit Updating eslint-plugin-vue to 8.0.2,which is a SemVer major change.
npm WARN audit Updating @vue/cli-plugin-eslint to 3.12.1,which is a SemVer major change.
npm WARN audit Updating @vue/cli-plugin-babel to 3.12.1,which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-loader@2.2.1
npm WARN Found: eslint@8.1.0
npm WARN node_modules/eslint
npm WARN   dev eslint@"8.1.0" from the root project
npm WARN   3 more (babel-eslint, eslint-plugin-vue, eslint-utils)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer eslint@">=1.6.0 <7.0.0" from eslint-loader@2.2.1
npm WARN node_modules/eslint-loader
npm WARN   eslint-loader@"^2.1.2" from @vue/cli-plugin-eslint@3.12.1
npm WARN   node_modules/@vue/cli-plugin-eslint
npm WARN 
npm WARN Conflicting peer dependency: eslint@4.4.1
npm WARN node_modules/eslint
npm WARN   peer eslint@">=1.6.0 <7.0.0" from eslint-loader@2.2.1
npm WARN   node_modules/eslint-loader
npm WARN     eslint-loader@"^2.1.2" from @vue/cli-plugin-eslint@3.12.1
npm WARN     node_modules/@vue/cli-plugin-eslint
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: eslint-plugin-vue@4.7.1
npm WARN Found: eslint@4.19.1
npm WARN node_modules/@vue/cli-plugin-eslint/node_modules/eslint
npm WARN   optional eslint@"^4.19.1" from @vue/cli-plugin-eslint@3.12.1
npm WARN   node_modules/@vue/cli-plugin-eslint
npm WARN     dev @vue/cli-plugin-eslint@"3.12.1" from the root project
npm WARN   1 more (eslint-plugin-vue)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer eslint@"^3.18.0 || ^4.0.0" from eslint-plugin-vue@4.7.1
npm WARN node_modules/@vue/cli-plugin-eslint/node_modules/eslint-plugin-vue
npm WARN   optional eslint-plugin-vue@"^4.7.1" from @vue/cli-plugin-eslint@3.12.1
npm WARN   node_modules/@vue/cli-plugin-eslint
npm WARN 
npm WARN Conflicting peer dependency: eslint@4.4.1
npm WARN node_modules/eslint
npm WARN   peer eslint@"^3.18.0 || ^4.0.0" from eslint-plugin-vue@4.7.1
npm WARN   node_modules/@vue/cli-plugin-eslint/node_modules/eslint-plugin-vue
npm WARN     optional eslint-plugin-vue@"^4.7.1" from @vue/cli-plugin-eslint@3.12.1
npm WARN     node_modules/@vue/cli-plugin-eslint
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: vue-eslint-parser@2.0.3
npm WARN Found: eslint@4.19.1
npm WARN node_modules/@vue/cli-plugin-eslint/node_modules/eslint
npm WARN   optional eslint@"^4.19.1" from @vue/cli-plugin-eslint@3.12.1
npm WARN   node_modules/@vue/cli-plugin-eslint
npm WARN     dev @vue/cli-plugin-eslint@"3.12.1" from the root project
npm WARN   1 more (eslint-plugin-vue)
npm WARN 
npm WARN Could not resolve dependency:
npm WARN peer eslint@">=3.9.0" from vue-eslint-parser@2.0.3
npm WARN node_modules/@vue/cli-plugin-eslint/node_modules/eslint-plugin-vue/node_modules/vue-eslint-parser
npm WARN   vue-eslint-parser@"^2.0.3" from eslint-plugin-vue@4.7.1
npm WARN   node_modules/@vue/cli-plugin-eslint/node_modules/eslint-plugin-vue
npm WARN 
npm WARN Conflicting peer dependency: eslint@8.1.0
npm WARN node_modules/eslint
npm WARN   peer eslint@">=3.9.0" from vue-eslint-parser@2.0.3
npm WARN   node_modules/@vue/cli-plugin-eslint/node_modules/eslint-plugin-vue/node_modules/vue-eslint-parser
npm WARN     vue-eslint-parser@"^2.0.3" from eslint-plugin-vue@4.7.1
npm WARN     node_modules/@vue/cli-plugin-eslint/node_modules/eslint-plugin-vue
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 159 packages, removed 123 packages, changed 85 packages, and audited 1372 packages in 49s

88 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-html  *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
No fix available
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.1.0
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of http-proxy-middleware
  Depends on vulnerable versions of yargs
  node_modules/webpack-dev-server
    @vue/cli-service  <=5.0.0-beta.3
    Depends on vulnerable versions of @vue/cli-shared-utils
    Depends on vulnerable versions of cliui
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of ora
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@vue/cli-service

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
No fix available
node_modules/@vue/cli-plugin-eslint/node_modules/ansi-regex
node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/@vue/cli-plugin-eslint/node_modules/strip-ansi
  node_modules/inquirer/node_modules/strip-ansi
  node_modules/strip-ansi
  node_modules/table/node_modules/strip-ansi
  node_modules/webpack-dev-server/node_modules/string-width/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/cliui
      @vue/cli-service  <=5.0.0-beta.3
      Depends on vulnerable versions of @vue/cli-shared-utils
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of ora
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/webpack-dev-server/node_modules/yargs
        webpack-dev-server  2.0.0-beta - 4.1.0
        Depends on vulnerable versions of ansi-html
        Depends on vulnerable versions of chokidar
        Depends on vulnerable versions of http-proxy-middleware
        Depends on vulnerable versions of yargs
        node_modules/webpack-dev-server
    eslint  4.5.0 - 7.15.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of table
    node_modules/@vue/cli-plugin-eslint/node_modules/eslint
      @vue/cli-plugin-eslint  <=5.0.0-alpha.1
      Depends on vulnerable versions of @vue/cli-shared-utils
      Depends on vulnerable versions of eslint
      Depends on vulnerable versions of globby
      node_modules/@vue/cli-plugin-eslint
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
    ora  2.0.0 - 4.0.2
    Depends on vulnerable versions of strip-ansi
    node_modules/ora
      @vue/cli-shared-utils  <=4.5.15
      Depends on vulnerable versions of ora
      node_modules/@vue/cli-shared-utils
        @vue/cli-plugin-babel  3.4.0 - 4.5.15
        Depends on vulnerable versions of @vue/cli-shared-utils
        node_modules/@vue/cli-plugin-babel
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui/node_modules/string-width
    node_modules/inquirer/node_modules/string-width
    node_modules/table/node_modules/string-width
    node_modules/webpack-dev-server/node_modules/string-width
    node_modules/wrap-ansi/node_modules/string-width
      table  4.0.2 - 5.4.6
      Depends on vulnerable versions of string-width
      node_modules/table
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/wrap-ansi

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
No fix available
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of readdirp
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.0.0-alpha.0 - 5.0.0-rc.6
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.1.0
    Depends on vulnerable versions of ansi-html
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of http-proxy-middleware
    Depends on vulnerable versions of yargs
    node_modules/webpack-dev-server
      @vue/cli-service  <=5.0.0-beta.3
      Depends on vulnerable versions of @vue/cli-shared-utils
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of ora
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  Depends on vulnerable versions of micromatch
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      @vue/cli-plugin-eslint  <=5.0.0-alpha.1
      Depends on vulnerable versions of @vue/cli-shared-utils
      Depends on vulnerable versions of eslint
      Depends on vulnerable versions of globby
      node_modules/@vue/cli-plugin-eslint

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
No fix available
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          @intervolga/optimize-cssnano-plugin  >=1.0.2
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/@intervolga/optimize-cssnano-plugin
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            @vue/cli-service  <=5.0.0-beta.3
            Depends on vulnerable versions of @vue/cli-shared-utils
            Depends on vulnerable versions of cliui
            Depends on vulnerable versions of copy-webpack-plugin
            Depends on vulnerable versions of cssnano
            Depends on vulnerable versions of globby
            Depends on vulnerable versions of ora
            Depends on vulnerable versions of webpack-dev-server
            node_modules/@vue/cli-service

serialize-javascript  <=3.0.0
Severity: high
Insecure serialization leading to RCE in serialize-javascript - https://github.com/advisories/GHSA-hxcc-f52p-wc94
Cross-Site Scripting in serialize-javascript - https://github.com/advisories/GHSA-h9rv-jmmf-4pgx
No fix available
node_modules/copy-webpack-plugin/node_modules/serialize-javascript
  copy-webpack-plugin  4.3.0 - 5.1.1
  Depends on vulnerable versions of cacache
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin
    @vue/cli-service  <=5.0.0-beta.3
    Depends on vulnerable versions of @vue/cli-shared-utils
    Depends on vulnerable versions of cliui
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of cssnano
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of ora
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@vue/cli-service

set-value  <4.0.1
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
No fix available
node_modules/set-value
  cache-base  >=0.7.0
  Depends on vulnerable versions of set-value
  Depends on vulnerable versions of union-value
  node_modules/cache-base
    base  >=0.7.0
    Depends on vulnerable versions of cache-base
    node_modules/base
      snapdragon  0.6.0 - 0.10.1
      Depends on vulnerable versions of base
      node_modules/snapdragon
        braces  2.0.0 - 2.3.2
        Depends on vulnerable versions of snapdragon
        node_modules/braces
          chokidar  1.0.0-rc1 - 2.1.8
          Depends on vulnerable versions of braces
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of readdirp
          node_modules/watchpack-chokidar2/node_modules/chokidar
          node_modules/webpack-dev-server/node_modules/chokidar
            watchpack-chokidar2  *
            Depends on vulnerable versions of chokidar
            node_modules/watchpack-chokidar2
              watchpack  1.7.2 - 1.7.5
              Depends on vulnerable versions of watchpack-chokidar2
              node_modules/watchpack
                webpack  4.0.0-alpha.0 - 5.0.0-rc.6
                Depends on vulnerable versions of micromatch
                Depends on vulnerable versions of watchpack
                node_modules/webpack
            webpack-dev-server  2.0.0-beta - 4.1.0
            Depends on vulnerable versions of ansi-html
            Depends on vulnerable versions of chokidar
            Depends on vulnerable versions of http-proxy-middleware
            Depends on vulnerable versions of yargs
            node_modules/webpack-dev-server
              @vue/cli-service  <=5.0.0-beta.3
              Depends on vulnerable versions of @vue/cli-shared-utils
              Depends on vulnerable versions of cliui
              Depends on vulnerable versions of copy-webpack-plugin
              Depends on vulnerable versions of cssnano
              Depends on vulnerable versions of globby
              Depends on vulnerable versions of ora
              Depends on vulnerable versions of webpack-dev-server
              node_modules/@vue/cli-service
        expand-brackets  1.0.0 - 2.1.4
        Depends on vulnerable versions of snapdragon
        node_modules/expand-brackets
        extglob  1.0.0 - 2.0.4
        Depends on vulnerable versions of snapdragon
        node_modules/extglob
        micromatch  3.0.0 - 3.1.10
        Depends on vulnerable versions of snapdragon
        node_modules/micromatch
          anymatch  2.0.0
          Depends on vulnerable versions of micromatch
          node_modules/watchpack-chokidar2/node_modules/anymatch
          node_modules/webpack-dev-server/node_modules/anymatch
          fast-glob  <=2.2.7
          Depends on vulnerable versions of glob-parent
          Depends on vulnerable versions of micromatch
          node_modules/fast-glob
            globby  8.0.0 - 9.2.0
            Depends on vulnerable versions of fast-glob
            node_modules/globby
              @vue/cli-plugin-eslint  <=5.0.0-alpha.1
              Depends on vulnerable versions of @vue/cli-shared-utils
              Depends on vulnerable versions of eslint
              Depends on vulnerable versions of globby
              node_modules/@vue/cli-plugin-eslint
          http-proxy-middleware  0.18.0 - 0.19.2
          Depends on vulnerable versions of micromatch
          node_modules/http-proxy-middleware
          readdirp  2.2.0 - 2.2.1
          Depends on vulnerable versions of micromatch
          node_modules/watchpack-chokidar2/node_modules/readdirp
          node_modules/webpack-dev-server/node_modules/readdirp
        nanomatch  >=0.1.1
        Depends on vulnerable versions of snapdragon
        node_modules/nanomatch
  union-value  *
  Depends on vulnerable versions of set-value
  node_modules/union-value

ssri  5.2.2 - 6.0.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
No fix available
node_modules/copy-webpack-plugin/node_modules/ssri
  cacache  10.0.4 - 11.0.0
  Depends on vulnerable versions of ssri
  node_modules/copy-webpack-plugin/node_modules/cacache
    copy-webpack-plugin  4.3.0 - 5.1.1
    Depends on vulnerable versions of cacache
    Depends on vulnerable versions of serialize-javascript
    node_modules/copy-webpack-plugin
      @vue/cli-service  <=5.0.0-beta.3
      Depends on vulnerable versions of @vue/cli-shared-utils
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of copy-webpack-plugin
      Depends on vulnerable versions of cssnano
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of ora
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@vue/cli-service

47 vulnerabilities (19 moderate, 28 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

[kaiyu-tech]

npm audit fix --force を実行したときのログも、いただけるとうれしいです。

上記についてのログも追加しました！

[kaiyu-tech]

npm audit fix --forceを実行しても、結果としてワーニングが解消しないのは問題であると思われる。

[kaiyu-tech]

#1492 (comment)
vue create my-projectを実行した時のログの最後に、

npm run serve

とあるのでとりあえず実行してみる。

[kaiyu-tech]

ERROR Failed to compile with 1 errors
TypeError: eslint.CLIEngine is not a constructor
と言うエラーが出てしまう。

$ npm run serve

> my-project@0.1.0 serve
> vue-cli-service serve

 INFO  Starting development server...
98% after emitting CopyPlugin

 ERROR  Failed to compile with 1 errors                                                                                                                                                    11:48:11

Module build failed (from ./node_modules/eslint-loader/index.js):
TypeError: eslint.CLIEngine is not a constructor
    at Object.module.exports (~/work/oss-gate/my-project/node_modules/eslint-loader/index.js:223:27)

You may use special comments to disable some warnings.
Use // eslint-disable-next-line to ignore the next line.
Use /* eslint-disable */ to ignore all warnings in a file.

[kaiyu-tech]

nodeとnpmのバージョンも確認しておくと良いとサポーターさんにアドバイスいただいたので確認しました。

$ node -v
v16.9.0

$ npm -v
7.21.1

念の為vueのバージョンも確認しました。

$ vue -V
@vue/cli 4.5.15

[kaiyu-tech]

nodeとnpmがどこにインストールされているか（何を通してインストールしたか）を確認すると良いとアドバイスいただいたので確認しました。

$ which node
~/.nvm/versions/node/v16.9.0/bin/node

$ which npm 
~/.nvm/versions/node/v16.9.0/bin/npm

[hata6502]

@hata6502 の環境だとうまく動作したため、報告します。

環境
Ubuntu: 20.04
node: 16.13.0
npm: 8.1.0

• npm audit fix --force をしていない。
• npm v8 を使っている。

$ npm i -g @vue/cli
npm WARN deprecated @hapi/topo@3.1.6: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/bourne@1.3.2: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated apollo-tracing@0.15.0: The `apollo-tracing` package is no longer part of Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#tracing for details
npm WARN deprecated graphql-extensions@0.15.0: The `graphql-extensions` API has been removed from Apollo Server 3. Use the plugin API instead: https://www.apollographql.com/docs/apollo-server/integrations/plugins/
npm WARN deprecated @hapi/address@2.1.4: Moved to 'npm install @sideway/address'
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated apollo-cache-control@0.14.0: The functionality provided by the `apollo-cache-control` package is built in to `apollo-server-core` starting with Apollo Server 3. See https://www.apollographql.com/docs/apollo-server/migration/#cachecontrol for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated @hapi/hoek@8.5.1: This version has been deprecated and is no longer supported or maintained
npm WARN deprecated @hapi/joi@15.1.1: Switch to 'npm install joi'
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead

added 944 packages, and audited 945 packages in 41s

65 packages are looking for funding
  run `npm fund` for details

23 vulnerabilities (4 moderate, 19 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ vue create my-project


Vue CLI v4.5.15
? Please pick a preset: Default ([Vue 2] babel, eslint)
? Pick the package manager to use when installing dependencies: NPM


Vue CLI v4.5.15
✨  Creating project in /home/hata6502/test/my-project.
🗃  Initializing git repository...
⚙️  Installing CLI plugins. This might take a while...


added 1283 packages, and audited 1284 packages in 59s

83 packages are looking for funding
  run `npm fund` for details

43 vulnerabilities (18 moderate, 25 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
🚀  Invoking generators...
📦  Installing additional dependencies...


added 49 packages, and audited 1333 packages in 4s

88 packages are looking for funding
  run `npm fund` for details

45 vulnerabilities (20 moderate, 25 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
⚓  Running completion hooks...

📄  Generating README.md...

🎉  Successfully created project my-project.
👉  Get started with the following commands:

$ cd my-project
$ npm run serve

> my-project@0.1.0 serve
> vue-cli-service serve

 INFO  Starting development server...
98% after emitting CopyPlugin

 DONE  Compiled successfully in 1232ms                                                                                                                                     11:54:38


  App running at:
  - Local:   http://localhost:8080/ 
  - Network: http://192.168.1.46:8080/

  Note that the development build is not optimized.
  To create a production build, run npm run build.

[kaiyu-tech]

サポーターさんの環境では発生しないとアドバイスいただいたので、nodeとnpmのバージョンを上げて試してみます。

[kaiyu-tech]

nvm install 16.13.0を実行しました。

$ nvm install 16.13.0
Downloading and installing node v16.13.0...
Downloading https://nodejs.org/dist/v16.13.0/node-v16.13.0-darwin-x64.tar.xz...
################################################################################################################################################################################################################################# 100.0%
Computing checksum with shasum -a 256
Checksums matched!
Now using node v16.13.0 (npm v8.1.0)

[u16suzu]

eslint.CLIEngine is not a constructor vue cli というキーワードでググったところ、
以下のIssueが上がっていました。

eslint/eslint#15175

エラーメッセージは同じ模様です。

kaiyu-techさんのエラーメッセージ : #1492 (comment)

PRのエラーメッセージ : Syntax Error: TypeError: eslint.CLIEngine is not a constructor

[kaiyu-tech]

nodeとnpmのバージョンが安定版の最新版になったようです。

$ node -v            
v16.13.0

$ npm -v
8.1.0

またMacOSを使用しています。
そちらのバージョンは、
macOS Big Sur 11.6です。

[piroor]

• npm audit fixを実行してもまだWARNが出続けるのは気持ち悪いので、なんとかなっているとよさそう
• eslintのエラーについては、すでにissueを立てているひとがいた。 Add support for ESlint 8.0 in vue-eslint-parser vuejs/vue-cli#6759 ここに情報提供したり、PRを出したりできるといいかも

[hata6502]

@vue/cli は vue を初めての方も使う CLI だと思うので、
改善の余地がありそうですね。

[u16suzu]

@kaiyu-tech
すみません〜午前中だけなので抜けちゃいます。 🙇
上記のIssueは以下の方法で、出てきました。

私がよくやるのは、以下です！

1. エラーメッセージ＋ライブラリ名でググる
2. ライブラリのリポジトリのIssue, PRの部分にエラーメッセージを追加して検索する

[kaiyu-tech]

ふりかえり後の作業ですが、追記します。

nodeとnpmのバージョンが最新版になっても、エラーは解消されないようです。

$ npm run serve          

> my-project@0.1.0 serve
> vue-cli-service serve

 INFO  Starting development server...
98% after emitting CopyPlugin

 ERROR  Failed to compile with 1 errors                                                                                                                                       12:56:35

Module build failed (from ./node_modules/eslint-loader/index.js):
TypeError: eslint.CLIEngine is not a constructor
    at Object.module.exports (~/work/oss-gate/my-project/node_modules/eslint-loader/index.js:223:27)

You may use special comments to disable some warnings.
Use // eslint-disable-next-line to ignore the next line.
Use /* eslint-disable */ to ignore all warnings in a file.

[ttyniwa]

すでに #1492 (comment) にかかれているアドバイスのとおりですが、エラーが起きたときにはまず公式リポジトリのIssueをエラーメッセージで検索するとよいです。
以下のissueが関連が深そうです。
vuejs/vue-cli#6759

I'm using Vue CLI & after upgrading ESlint from version 7.32.0 to 8.0.1 I get the error Syntax Error: TypeError: eslint.CLIEngine is not a constructor after launching the project for development with npm run serve.

この人も npm run serve で起動したときに該当のエラーが発生しているようです。
このあたりをとっかかりに調査してみると良いと思います。

[ttyniwa]

調査に関する補足：

1. まずはエラーメッセージでGoogle検索する
   • 日本語で解決策を記載してくれている人がいればそれを見ると素早く解決できますね。他にもstackoverflowなどの海外のサイトやブログなどに、同じエラーメッセージが書いてあればそこに解決策が乗っている可能性は高いです。
2. 1で解決策が見つからなければ、公式リポジトリのIssue/PRを検索する
   • Google検索はページがインデックスされないとヒットしません。最新のIssueはまだGoogle検索で出てこないことがありますし、古いIssueでも他の検索結果に埋もれていることがあります。よって、公式リポジトリのIssueを検索することは重要です。

[kaiyu-tech]

アドバイザーさんの環境と全く同じ環境（OS以外）にすることでエラーが出ないようになりました。

[kaiyu-tech]

npm install -g @vue/cli
vue create my-project
cd my-project
# npm audit fix --force # <- ここでこれを行うことによりプロジェクトが破壊されるようである
npm run serve

npm audit fix --forceを行わなければ、npm run serveを実行してもエラーは出ませんでした。

[kaiyu-tech]

ちなみに、--forceオプション無しのnpm audit fixだけの場合は、以下のようにエラーになりました。

$ npm audit fix
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @vue/cli-plugin-eslint@4.5.15
npm ERR! Found: eslint@6.8.0
npm ERR! node_modules/eslint
npm ERR!   dev eslint@"^6.7.2" from the root project
npm ERR!   peer eslint@">= 1.6.0 < 7.0.0" from @vue/cli-plugin-eslint@4.5.15
npm ERR!   node_modules/@vue/cli-plugin-eslint
npm ERR!     dev @vue/cli-plugin-eslint@"~4.5.0" from the root project
npm ERR!   4 more (babel-eslint, eslint-loader, eslint-plugin-vue, vue-eslint-parser)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer eslint@">= 1.6.0 < 7.0.0" from @vue/cli-plugin-eslint@4.5.15
npm ERR! node_modules/@vue/cli-plugin-eslint
npm ERR!   dev @vue/cli-plugin-eslint@"~4.5.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: eslint@4.4.1
npm ERR! node_modules/eslint
npm ERR!   peer eslint@">= 1.6.0 < 7.0.0" from @vue/cli-plugin-eslint@4.5.15
npm ERR!   node_modules/@vue/cli-plugin-eslint
npm ERR!     dev @vue/cli-plugin-eslint@"~4.5.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See ~/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     ~/.npm/_logs/2021-10-30T04_34_42_521Z-debug.log

[kaiyu-tech]

上記までがお昼後に行った作業です。

[kaiyu-tech]

そこで、既に上がっているIssueをサポーターさんに確認していただいたところ、既にCloseしているとのことでした。
eslint/eslint#15175
vuejs/vue-cli#6714
ただし、その修正についてはベータ版のv5(devブランチ)に対してしか行われていないとのことでした。

そこで現行のv4ブランチに対しても同様の修正を行ってもらえるようにできないかなと考えています。

[kaiyu-tech]

Bug：TypeError: eslint.CLIEngine is not a constructor

• Version
  Vue CLI: 4.5.15

• Environment info
  Node version: v16.13.0
  npm version: 8.1.2
  OS: macOS Big Sur 11.6

私はGetting Startedに従って、Vueプロジェクトの新規作成と実行を試みました。
しかしプロジェクトを起動しようとしたときに、TypeError: eslint.CLIEngine is not a constructorが発生しました。

• Steps to reproduce

npm install -g @vue/cli
vue create my-project
cd my-project
npm audit fix --force
npm run serve

1. npm install -g @vue/cliを実行して、Vue CLIをグローバルにインストールします。
2. vue create my-projectを実行して、プロジェクトを作成します。
3. cd my-projectを実行して、作成したプロジェクトのあるディレクトリに移動します。
4. インストール中に脆弱性問題が発生している旨のメッセージが出るため、npm audit fix --forceを実行する。
5. しかし脆弱性問題を解消することができない旨のメッセージが出る。
6. 一旦脆弱性問題を無視してnpm run serveを実行する。
7. TypeError: eslint.CLIEngine is not a constructorが発生します。

$ npm run serve

> my-project@0.1.0 serve
> vue-cli-service serve

 INFO  Starting development server...
98% after emitting CopyPlugin

 ERROR  Failed to compile with 1 errors                                                                         19:48:55

Module build failed (from ./node_modules/@vue/cli-plugin-eslint/node_modules/eslint-loader/index.js):
TypeError: eslint.CLIEngine is not a constructor
    at Object.module.exports (~/work/oss-gate/my-project/node_modules/@vue/cli-plugin-eslint/node_modules/eslint-loader/index.js:223:27)

You may use special comments to disable some warnings.
Use // eslint-disable-next-line to ignore the next line.
Use /* eslint-disable */ to ignore all warnings in a file.

• 補足事項

1. 脆弱性問題のメッセージを無視してnpm audit fix --forceを実行しなければ、npm run serveを実行してもエラーは発生しない。
2. すでにdevブランチでは修正済みの問題(vuejs/vue-cli#6714)だと思うが、その修正がv4ブランチには適用されていないと思う。
3. これを公式のバックポートリリースとして含めてくれることを望みます。

---

---

Bug：TypeError: eslint.CLIEngine is not a constructor

• Version
  Vue CLI: 4.5.15

• Environment info
  Node version: v16.13.0
  npm version: 8.1.2
  OS: macOS Big Sur 11.6

• What did you do?
  I followed Getting Started and tried to create and run a new Vue project.
  However, when I tried to start the project, I got a TypeError: eslint.CLIEngine is not a constructor.

• Steps to reproduce

npm install -g @vue/cli
vue create my-project
cd my-project
npm audit fix --force
npm run serve

1. run npm install -g @vue/cli to install the Vue CLI globally.
2. Run vue create my-project to create the project.
3. Run cd my-project and navigate to the directory where the project you created is located.
4. Run npm audit fix --force because you will get a message that there is a vulnerability problem during installation.
5. However, I get a message that the vulnerability issue cannot be resolved.
6. Ignore the vulnerability issue for now and run npm run serve.
7. TypeError: eslint.CLIEngine is not a constructor is raised.

$ npm run serve

> my-project@0.1.0 serve
> vue-cli-service serve

 INFO  Starting development server...
98% after emitting CopyPlugin

 ERROR  Failed to compile with 1 errors                                                                         19:48:55

Module build failed (from ./node_modules/@vue/cli-plugin-eslint/node_modules/eslint-loader/index.js):
TypeError: eslint.CLIEngine is not a constructor
    at Object.module.exports (~/work/oss-gate/my-project/node_modules/@vue/cli-plugin-eslint/node_modules/eslint-loader/index.js:223:27)

You may use special comments to disable some warnings.
Use // eslint-disable-next-line to ignore the next line.
Use /* eslint-disable */ to ignore all warnings in a file.

• Supplementary information

1. If you ignore the vulnerability issue message and don't run npm audit fix --force, you won't get an error when you run npm run serve.
2. I think the problem has already been fixed in the dev branch (vuejs/vue-cli#6714), but I don't think the fix has been applied to the v4 branch.
3. I hope they will include this as an official backport release.

[piroor]

v4でserveに失敗する問題については、eslintのバージョンの上限を依存関係で設定する解決策はどうか？（提案）

[kaiyu-tech]

v4でserveに失敗する問題については、eslintのバージョンの上限を依存関係で設定する解決策はどうか？（提案）

v4ブランチの最新コードに対してyarnを行うと以下のエラーが出るため、「eslintのバージョンの上限を依存関係で設定」して解決するかのテストができないのが難しいところです。

$ yarn
(略)
error An unexpected error occurred: "ENOENT: no such file or directory, lstat '~/work/oss-gate/vue-cli/packages/test/e2e-serve-router/node_modules/@vue/cli-service/node_modules'".
(略)

また、devブランチでも同様のエラーが出ます。

$ yarn
(略)
error An unexpected error occurred: "ENOENT: no such file or directory, lstat '~/work/oss-gate/vue-cli/packages/test/eslint-dynamic-import/node_modules/@vue/cli-service/node_modules/@vue'".
(略)

これらについても報告するか、原因を探るかが必要だと考えています。

[yuseitahara]

英文、ほとんどOKだと思います。ちょっとだけ細かいところをコメントさせていただきます。

However, when I tried to start the project, I got a TypeError: eslint.CLIEngine is not a constructor.

I got "TypeError: eslint.CLIEngine is not a constructor." で I got a の a は要らないですね。

3. I hope they will include this as an official backport release.

この they が何なのか分かりませんでした。

[yuseitahara]

3. I hope they will include this as an official backport release.

あと、ここは I hope じゃなくて、Is is possible to backport that fix to v4? みたいな感じで普通に質問文にしたほうがいいんじゃないかなと思いました。 I hope だと何か言いっぱなしな感じなので。

[yuseitahara]

さらに細かいことですが

2. I think the problem has already been fixed

〜のようだ It seems that がここでは使えますね。

[kaiyu-tech]

@yuseitahara
素早い対応ありがとうございます！
英語が苦手なので心強いです🙏

ご指摘の点を修正してみました、以下の文章で問題点は解消されたでしょうか？🙏

---

Bug：TypeError: eslint.CLIEngine is not a constructor

• Version
  Vue CLI: 4.5.15

• Environment info
  Node version: v16.13.0
  npm version: 8.1.2
  OS: macOS Big Sur 11.6

• What did you do?
  I followed Getting Started and tried to create and run a new Vue project.
  However, when I tried to start the project, I got "TypeError: eslint.CLIEngine is not a constructor".

• Steps to reproduce

npm install -g @vue/cli
vue create my-project
cd my-project
npm audit fix --force
npm run serve

1. run npm install -g @vue/cli to install the Vue CLI globally.
2. Run vue create my-project to create the project.
3. Run cd my-project and navigate to the directory where the project you created is located.
4. Run npm audit fix --force because you will get a message that there is a vulnerability problem during installation.
5. However, I get a message that the vulnerability issue cannot be resolved.
6. Ignore the vulnerability issue for now and run npm run serve.
7. TypeError: eslint.CLIEngine is not a constructor is raised.

$ npm run serve

> my-project@0.1.0 serve
> vue-cli-service serve

 INFO  Starting development server...
98% after emitting CopyPlugin

 ERROR  Failed to compile with 1 errors                                                                         19:48:55

Module build failed (from ./node_modules/@vue/cli-plugin-eslint/node_modules/eslint-loader/index.js):
TypeError: eslint.CLIEngine is not a constructor
    at Object.module.exports (~/work/oss-gate/my-project/node_modules/@vue/cli-plugin-eslint/node_modules/eslint-loader/index.js:223:27)

You may use special comments to disable some warnings.
Use // eslint-disable-next-line to ignore the next line.
Use /* eslint-disable */ to ignore all warnings in a file.

• Supplementary information

1. If you ignore the vulnerability issue message and don't run npm audit fix --force, you won't get an error when you run npm run serve.
2. It seems that the problem has already been fixed in the dev branch (vuejs/vue-cli#6714), but I don't think the fix has been applied to the v4 branch.
3. Is is possible to backport that fix to v4?

[yuseitahara]

いいと思います。あとはこれをVueのイシューに投稿すれば、開発者の誰かが返事をくれると思います。

v5で修正済みの不具合をv4に移植するのがどのくらい手間のかかることなのか、v5のリリース予定はどうなっているのか、そのあたりの都合によってv4にもこの修正が来るかどうかが決まるだろうと思います。

あと、今気がつきましたが Bag は Bug(不具合) のことですよね。Bagだとかばんになってしまいます。

[kaiyu-tech]

ご確認ありがとうございます！
Bag は Bug に直しました💦

また、Issueを投稿しようとしたら、Vue側が指定するフォーマットで作成するサイトに飛ばされたので少し整形し直して投稿しました。
https://new-issue.vuejs.org/?repo=vuejs/vue-cli

以下が実際に投稿したIssueです。
vuejs/vue-cli#6798

仰られる通り実際にv4が修正されるかはVue側の考えもあると思いますのでそこは期待せずに待とうと思います！

[github-actions]

おつかれさまでした！

ワークショップの終了にともないissueを閉じますが、このまま作業メモとして使っても構いません 👌

ワークショップの感想を集めています！

ブログなどに書かれた際は、このページへリンクの追加をお願いします 🙏

またの参加をお待ちしています！