Should I be concerned about NPM vulnerabilities when using Vue?

Question

I just installed @Vue-cli and I decided to create my first project using Vue3. After running vue create hello-world and it finished building the project, the cli said 7 moderate severity vulnerabilities

How bad are these? moderate is very subjective. I tried running npm audit fix --force which instead said 28 vulnerabilities (16 moderate, 12 high).

Is this just one of the things you should just accept and hope that no one exploits the vulnerabilities?

After running npm audit it said this

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install @vue/[email protected], which is a breaking change
node_modules/log-update/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/log-update/node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/log-update/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/log-update/node_modules/wrap-ansi
        log-update  2.1.0 - 3.4.0
        Depends on vulnerable versions of wrap-ansi
        node_modules/log-update
          progress-webpack-plugin  *
          Depends on vulnerable versions of log-update
          node_modules/progress-webpack-plugin
            @vue/cli-service  >=5.0.0-alpha.0
            Depends on vulnerable versions of progress-webpack-plugin
            node_modules/@vue/cli-service

Which to me looks like it all boils down to Inefficient Regular Expression Complexity in chalk/ansi-regex.

What's the proper way of dealing with this? Just letting it be or is it as easy as updating a package?

Answer 1

On top of my other answer, I'll add that everything is hackable nowadays. Is it an issue per-se? Not really since you're not really launching rockets.

Is it spooky? Yeah maybe because of how it sounds but at the end, if somebody in your company opens a phishing email you're exposed, so yeah: live your life and don't worry too much about it.

Also, a as reminder: every package that you install can be malicious at some point and during various steps. If you want a 100% bullet-proof codebase, you'll need to write everything yourself from bottom to top.