Version
27.0.5
Steps to reproduce
Use Jest@latest (27.2.4 today).
Run npm audit, see audit failures related to lodash (this is from better-npm-audit):
╔══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╗
║ === npm audit security report === ║
║ ║
║ ID │ Module │ Title │ Paths │ Sev. │ URL │ Ex. ║
║ 1002373 │ lodash │ Arbitrary code execution in lodash │ lodash │ critical │ https://github.com/advisories/GHSA-8p5q-j9m2-g8wr │ n ║
╚═════════╧════════╧════════════════════════════════════╧═════════════════╧══════════╧═══════════════════════════════════════════════════╧═════╝
But when you look at the advisory it's an edge case: it's a vulnerability that is only present when you take user input and put it into a template. NPM's audit is very paranoid and that's OK. Better to get notified about all potential failures IMO.
Then I run a why and get a lot of output similar to this:
node_modules/jest-cli
jest-cli@"^27.2.4" from jest@27.2.4
node_modules/jest
dev jest@"^27.2.4" from the root project
peer jest@"^27.0.0" from ts-jest@27.0.5
node_modules/ts-jest
dev ts-jest@"^27.0.5" from the root project
So the conclusion seems to be that ts-jest is importing too much of Lodash.
Expected behavior
I'd like ts-jest to not result in audit failures.
Actual behavior
I'm getting audit failures.
Debug log
I don't think this is relevant here.
Additional context
We solve this by importing the mini-packages like lodash.range. It looks this is feasible here as well.
I'm open to making a PR for this if the team is willing to consider this change.
Environment
System:
OS: macOS 10.15.7
CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
Binaries:
Node: 14.17.6 - ~/.nvm/versions/node/v14.17.6/bin/node
npm: 7.22.0 - ~/.nvm/versions/node/v14.17.6/bin/npm
npmPackages:
jest: ^27.2.4 => 27.2.4
Version
27.0.5
Steps to reproduce
Use Jest@latest (27.2.4 today).
Run npm audit, see audit failures related to lodash (this is from better-npm-audit):
But when you look at the advisory it's an edge case: it's a vulnerability that is only present when you take user input and put it into a template. NPM's audit is very paranoid and that's OK. Better to get notified about all potential failures IMO.
Then I run a
whyand get a lot of output similar to this:So the conclusion seems to be that
ts-jestis importing too much of Lodash.Expected behavior
I'd like ts-jest to not result in audit failures.
Actual behavior
I'm getting audit failures.
Debug log
I don't think this is relevant here.
Additional context
We solve this by importing the mini-packages like lodash.range. It looks this is feasible here as well.
I'm open to making a PR for this if the team is willing to consider this change.
Environment
System: OS: macOS 10.15.7 CPU: (16) x64 Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz Binaries: Node: 14.17.6 - ~/.nvm/versions/node/v14.17.6/bin/node npm: 7.22.0 - ~/.nvm/versions/node/v14.17.6/bin/npm npmPackages: jest: ^27.2.4 => 27.2.4