Question

Deprecated packages and vulnerabilities in Hybrid app

0

Hi all, I am trying to build a hybrid app and I am following the steps in https://docs.mendix.com/developerportal/deploy/mobileapp I have downloaded the package, unzipped it and installed NPM as mentioned in step 4.2.1. In the output I see a lot of warnings about deprecated packages. It also says there are 13 vulnerabilities. Running ‘npm audit fix’ does not remove the vulnerabilities. Neither does installing newer version of the mentioned packages. Can I just ignore these warnings about deprecated packages? And the vulnerabilities, how can I solve them? npm WARN deprecated phonegap@9.0.0: This package is deprecated, see https://blog.phonegap.com/update-for-customers-using-phonegap-and-phonegap-build-cc701c77502c npm WARN deprecated connect-phonegap@0.25.0: This package is deprecated, see https://blog.phonegap.com/update-for-customers-using-phonegap-and-phonegap-build-cc701c77502c npm WARN deprecated phonegap-build@1.0.0: This package is deprecated, see https://blog.phonegap.com/update-for-customers-using-phonegap-and-phonegap-build-cc701c77502c npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated chokidar@1.7.0: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. npm WARN deprecated phonegap-build-api@1.0.0: This package is deprecated, see https://blog.phonegap.com/update-for-customers-using-phonegap-and-phonegap-build-cc701c77502c npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated mkdirp@0.3.0: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) npm WARN deprecated core-js@2.6.11: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3. npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated chokidar@2.1.8: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. npm WARN deprecated browserslist@1.7.7: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools. npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated > fsevents@1.2.13 install /Users/user915234/Documents/Test/phonegap_Test_20201015_1253/node_modules/connect-phonegap/node_modules/fsevents > node install.js SOLINK_MODULE(target) Release/.node CXX(target) Release/obj.target/fse/fsevents.o SOLINK_MODULE(target) Release/fse.node > fsevents@1.2.13 install /Users/user915234/Documents/Test/phonegap_Test_20201015_1253/node_modules/watchpack-chokidar2/node_modules/fsevents > node install.js SOLINK_MODULE(target) Release/.node CXX(target) Release/obj.target/fse/fsevents.o SOLINK_MODULE(target) Release/fse.node > core-js@2.6.11 postinstall /Users/user915234/Documents/Test/phonegap_Test_20201015_1253/node_modules/core-js > node -e "try{require('./postinstall')}catch(e){}" Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library! The project needs your help! Please consider supporting of core-js on Open Collective or Patreon: > https://opencollective.com/core-js > https://www.patreon.com/zloirock Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -) > uglifyjs-webpack-plugin@0.4.6 postinstall /Users/user915234/Documents/Test/phonegap_Test_20201015_1253/node_modules/uglifyjs-webpack-plugin > node lib/post_install.js > @mendix/mendix-hybrid-app-template@5.0.0 install /Users/user915234/Documents/Test/phonegap_Test_20201015_1253 > npm run init > @mendix/mendix-hybrid-app-template@5.0.0 init /Users/user915234/Documents/Test/phonegap_Test_20201015_1253 > node init npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN notsup Unsupported engine for watchpack-chokidar2@2.0.0: wanted: {"node":"<8.10.0"} (current: {"node":"12.19.0","npm":"6.14.8"}) npm WARN notsup Not compatible with your version of node/npm: watchpack-chokidar2@2.0.0 npm WARN notsup Unsupported engine for got@5.7.1: wanted: {"node":">=0.10.0 <7"} (current: {"node":"12.19.0","npm":"6.14.8"}) npm WARN notsup Not compatible with your version of node/npm: got@5.7.1 npm WARN i18n-webpack-plugin@0.3.0 requires a peer of webpack@>=0.10 <2 || ^2.1.0-beta but none is installed. You must install peer dependencies yourself. npm WARN ws@7.3.1 requires a peer of bufferutil@^4.0.1 but none is installed. You must install peer dependencies yourself. npm WARN ws@7.3.1 requires a peer of utf-8-validate@^5.0.2 but none is installed. You must install peer dependencies yourself. added 1241 packages from 804 contributors and audited 1244 packages in 33.193s 38 packages are looking for funding run `npm fund` for details found 13 vulnerabilities (7 low, 2 moderate, 4 high) run `npm audit fix` to fix them, or `npm audit` for details Output of npm audit: === npm audit security report === # Run npm install webpack@5.1.2 to resolve 2 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ mem │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ webpack │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ webpack > yargs > os-locale > mem │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1084 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ webpack │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ webpack > yargs > yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1500 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ braces │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.3.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ phonegap [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ phonegap > connect-phonegap > chokidar > anymatch > │ │ │ micromatch > braces │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/786 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ js-yaml │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.13.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @mendix/mendix-hybrid-app-base │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @mendix/mendix-hybrid-app-base > css-loader > cssnano > │ │ │ postcss-svgo > svgo > js-yaml │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/788 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Code Injection │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ js-yaml │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.13.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @mendix/mendix-hybrid-app-base │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @mendix/mendix-hybrid-app-base > css-loader > cssnano > │ │ │ postcss-svgo > svgo > js-yaml │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/813 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ mem │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.0.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @mendix/mendix-hybrid-app-base │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @mendix/mendix-hybrid-app-base > webpack > yargs > os-locale │ │ │ > mem │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1084 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.2.1 <1.0.0 || >=1.2.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ phonegap [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ phonegap > minimist │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1179 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ dot-prop │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.2.1 <5.0.0 || >=5.1.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ phonegap [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ phonegap > update-notifier > configstore > dot-prop │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1213 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Cross-Site Scripting │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ serialize-javascript │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.1.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @mendix/mendix-hybrid-app-base │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @mendix/mendix-hybrid-app-base > copy-webpack-plugin > │ │ │ serialize-javascript │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1426 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Remote Code Execution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ serialize-javascript │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.1.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @mendix/mendix-hybrid-app-base │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @mendix/mendix-hybrid-app-base > copy-webpack-plugin > │ │ │ serialize-javascript │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1548 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ http-proxy │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=1.18.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ phonegap [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ phonegap > connect-phonegap > http-proxy │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1486 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @mendix/mendix-hybrid-app-base │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @mendix/mendix-hybrid-app-base > webpack > yargs > │ │ │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1500 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ phonegap [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ phonegap > connect-phonegap > localtunnel > yargs > │ │ │ yargs-parser │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1500 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 13 vulnerabilities (7 low, 2 moderate, 4 high) in 1244 scanned packages 2 vulnerabilities require semver-major dependency updates. 11 vulnerabilities require manual review. See the full report for details.

asked 2020-10-15

Robert Hertel

1 answers

Nils Klatter · Answer 1 · 2020-10-16

Having deprecation and security warning is never nice and best is to checkout the provided URL's to understand what you are dealing with.

The risk of not addressing deprecation warnings, is that your build process or app might break.
Since the hybrid-app-template is supported by Mendix, it think it is safe to assume that they will address these issues.

As for the security vulnerabilities, they all relate to either phonegap or webpack packages, which are used in building the app. B Since phonegap is discontinued you can ignore these. For the webpack vulnerabilities, it is best to check out the advisory link to understand the risk they pose. If you feel not safe to ignore them, you could do the following.

Check for mitigating factors
→ Check the security advisory for mitigating factors.
Update dependent packages if a fix exists
→ fork the dependent package by forking the direct dependency of the project
(e.g. forking webpack and updating it's dependent package)
Fix the vulnerability
→ Obvious one :)
Open an issue in the package or dependent package issue tracker
→ let someone else do the work

See the following link for the full explanation:
https://npmjs.com/advisories/1179