High security risk with @roots/bud 6.32.2 (latest)

When I try to use the following (latest) packages:

"devDependencies": {
    "@roots/bud": "6.23.2",
    "@roots/bud-swc": "^6.23.2",
    "@roots/bud-tailwindcss": "6.23.2",
    "@roots/eslint-config": "^6.23.2",
    "@roots/sage": "6.23.2",
    "@tailwindcss/aspect-ratio": "^0.4.2",
    "@types/luxon": "^3.4.2",
    "@types/react": "^18.3.3",
    "@types/react-dom": "^18.3.0",
    "@types/wordpress__block-editor": "^11.5.15",
    "@types/wordpress__blocks": "^12.5.14",
    "@types/wordpress__edit-post": "^7.5.7",
    "eslint": "^8.56.0",
    "prisma": "5.18.0",
    "stylelint": "^16.8.2",
    "type-fest": "^4.24.0"
  },
  "dependencies": {
    "@prisma/client": "5.18.0",
    "@wordpress/server-side-render": "^5.5.0",
    "framer-motion": "^11.3.28",
    "htmx.org": "^1.9.12",
    "luxon": "^3.5.0",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-swipeable": "^7.0.1",
    "recaptcha-v3": "^1.11.3"
  }

I’m getting the following when I run npm audit:

axios  1.3.2 - 1.7.3
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix --force`
Will install @roots/bud@2023.2.11, which is a breaking change
node_modules/axios
  @roots/bud-support  0.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
  Depends on vulnerable versions of axios
  node_modules/@roots/bud-support
    @roots/bud  0.0.0 || 3.2.0-next.0 - 4.0.0 || 5.7.5 || 6.10.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-api
    Depends on vulnerable versions of @roots/bud-build
    Depends on vulnerable versions of @roots/bud-cache
    Depends on vulnerable versions of @roots/bud-compiler
    Depends on vulnerable versions of @roots/bud-dashboard
    Depends on vulnerable versions of @roots/bud-entrypoints
    Depends on vulnerable versions of @roots/bud-extensions
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-hooks
    Depends on vulnerable versions of @roots/bud-minify
    Depends on vulnerable versions of @roots/bud-server
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud
      @roots/bud-entrypoints  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud
      Depends on vulnerable versions of @roots/bud-framework
      node_modules/@roots/bud-entrypoints
        @roots/sage  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
        Depends on vulnerable versions of @roots/bud
        Depends on vulnerable versions of @roots/bud-build
        Depends on vulnerable versions of @roots/bud-entrypoints
        Depends on vulnerable versions of @roots/bud-framework
        Depends on vulnerable versions of @roots/bud-postcss
        Depends on vulnerable versions of @roots/bud-preset-wordpress
        Depends on vulnerable versions of @roots/bud-support
        node_modules/@roots/sage
      @roots/bud-preset-recommend  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-postcss
      Depends on vulnerable versions of @roots/bud-swc
      node_modules/@roots/bud-preset-recommend
      @roots/bud-swc  0.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-support
      node_modules/@roots/bud-swc
      @roots/bud-tailwindcss  <=2.0.0-next.32 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-postcss
      Depends on vulnerable versions of @roots/bud-support
      node_modules/@roots/bud-tailwindcss
      @roots/bud-tailwindcss-theme-json  0.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-support
      Depends on vulnerable versions of @roots/bud-wordpress-theme-json
      node_modules/@roots/bud-tailwindcss-theme-json
      @roots/bud-wordpress-dependencies  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud
      Depends on vulnerable versions of @roots/bud-framework
      node_modules/@roots/bud-wordpress-dependencies
        @roots/bud-preset-wordpress  0.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
        Depends on vulnerable versions of @roots/bud-extensions
        Depends on vulnerable versions of @roots/bud-framework
        Depends on vulnerable versions of @roots/bud-preset-recommend
        Depends on vulnerable versions of @roots/bud-react
        Depends on vulnerable versions of @roots/bud-support
        Depends on vulnerable versions of @roots/bud-tailwindcss-theme-json
        Depends on vulnerable versions of @roots/bud-wordpress-dependencies
        Depends on vulnerable versions of @roots/bud-wordpress-externals
        Depends on vulnerable versions of @roots/bud-wordpress-theme-json
        node_modules/@roots/bud-preset-wordpress
    @roots/bud-api  0.0.0 || 5.7.5 || 6.10.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-extensions
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-minify
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-api
    @roots/bud-build  0.0.0 || 3.2.0-next.0 - 4.0.0 || 5.7.5 || 6.10.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-build
      @roots/bud-postcss  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud-build
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-support
      node_modules/@roots/bud-postcss
    @roots/bud-cache  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.10.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-cache
    @roots/bud-compiler  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.10.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-dashboard
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-compiler
    @roots/bud-dashboard  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-dashboard
    @roots/bud-extensions  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-minify
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-extensions
    @roots/bud-framework  0.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-framework
      @roots/bud-hooks  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-support
      node_modules/@roots/bud-hooks
      @roots/bud-react  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-support
      node_modules/@roots/bud-react
      @roots/bud-server  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud-framework
      Depends on vulnerable versions of @roots/bud-support
      node_modules/@roots/bud-server
      @roots/bud-wordpress-externals  0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
      Depends on vulnerable versions of @roots/bud-framework
      node_modules/@roots/bud-wordpress-externals
    @roots/bud-minify  *
    Depends on vulnerable versions of @roots/bud
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-minify
    @roots/bud-wordpress-theme-json  0.0.0 || 6.11.0 - 6.23.2 || >=2023.2.12
    Depends on vulnerable versions of @roots/bud-framework
    Depends on vulnerable versions of @roots/bud-support
    node_modules/@roots/bud-wordpress-theme-json

25 high severity vulnerabilities

From https://github.com/roots/bud/blob/f7c67ef85824fe4f916ae1a025395896a245ddd4/SECURITY.md:

While we take security very seriously it is important to remember that nearly all bud.js dependencies are run in local developer environments only, and even more bud.js dependencies are only used within the context of this repository. In the context of a build tool, many “vulnerabilities” are safe to ignore. Runtime vulnerabilities will always be taken very seriously and handled with urgency.

Kelly commented on a similar issue here: Upgrade vulnerable deps: webpack-dev-middleware (<6.1.2) · Issue #2594 · roots/bud · GitHub

Please use backticks when pasting code blocks on these forums, it makes posts easier to read :pray:

2 Likes

Sounds good. Yeah duh on the back ticks! :man_facepalming:t2: