Testing out Strapi for use on a client project, but the app needs to pass a security audit. I do not believe it can pass a security audit with the numerous warning and even deprecated libraries that are included in the application.
I was wondering what is the best approach for addressing this issue, short of not using this solution.
aaronksaunders@Aarons-14MacBookProM1Pro my-project % yarn upgrade
yarn upgrade v1.22.17
error No lockfile in this directory. Run `yarn install` to generate one.
info Visit https://yarnpkg.com/en/docs/cli/upgrade for documentation about this command.
aaronksaunders@Aarons-14MacBookProM1Pro my-project % yarn audit
yarn audit v1.22.17
info No lockfile found.
warning @strapi/plugin-users-permissions > request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
warning @strapi/plugin-users-permissions > uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
warning @strapi/plugin-users-permissions > request > uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
warning @strapi/plugin-users-permissions > request > har-validator@5.1.5: this library is no longer supported
warning @strapi/plugin-users-permissions > koa2-ratelimit > mongoose > @types/mongodb > @types/bson@4.2.0: This is a stub types definition. bson provides its own type definitions, so you do not need this installed.
warning @strapi/strapi > @strapi/generate-new > uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
warning @strapi/strapi > koa-ip > debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
warning @strapi/strapi > koa-session > uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
warning @strapi/strapi > koa-body > formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
warning @strapi/strapi > @strapi/admin > node-polyfill-webpack-plugin > url > querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
warning @strapi/strapi > @strapi/plugin-email > @strapi/provider-email-sendmail > sendmail > mailcomposer@3.12.0: This project is unmaintained
warning @strapi/strapi > @strapi/generators > plop > liftoff > findup-sync > micromatch > snapdragon > source-map-resolve > resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
warning @strapi/strapi > @strapi/generators > plop > liftoff > findup-sync > micromatch > snapdragon > source-map-resolve > urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
warning @strapi/strapi > @strapi/plugin-email > @strapi/provider-email-sendmail > sendmail > mailcomposer > buildmail@3.10.0: This project is unmaintained
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @strapi/strapi │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @strapi/strapi > @strapi/generators > plop > ora > │
│ │ strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1004946 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate │ Inefficient Regular Expression Complexity in │
│ │ chalk/ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @strapi/strapi │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @strapi/strapi > @strapi/plugin-content-type-builder > │
│ │ @strapi/generators > plop > ora > strip-ansi > ansi-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/1004946 │
└───────────────┴──────────────────────────────────────────────────────────────┘
2 vulnerabilities found - Packages audited: 1487
Severity: 2 Moderate
✨ Done in 17.59s.
aaronksaunders@Aarons-14MacBookProM1Pro my-project %