vulnerabilities after update quasar-app-extension-testing-unit-jest 3.0.0

[tinohager]

After the latest update I have problems with the test project.
I have already tested it with a completely new project and here too the errors occur immediately. I also don't understand why it suggests the old version in the npm audit.

quasar upgrade -i

quasar: 2.16.2 → 2.16.4
@quasar/quasar-app-extension-testing-unit-jest: 3.0.0-beta.7 → 3.0.0

Found vulnerabilities

5 high severity vulnerabilities

npm audit fix

# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install @quasar/[email protected], which is a breaking change
node_modules/jscodeshift/node_modules/braces
  micromatch  0.2.0 - 3.1.10
  Depends on vulnerable versions of braces
  node_modules/jscodeshift/node_modules/micromatch
    jscodeshift  0.3.20 - 0.13.1
    Depends on vulnerable versions of micromatch
    node_modules/jscodeshift
      alias-hq  >=4.1.0
      Depends on vulnerable versions of jscodeshift
      node_modules/alias-hq
        @quasar/quasar-app-extension-testing-unit-jest  >=3.0.0-alpha.1
        Depends on vulnerable versions of alias-hq
        node_modules/@quasar/quasar-app-extension-testing-unit-jest

5 high severity vulnerabilities

[tinohager]

@rstoenescu Could I get some feedback here please?

[rstoenescu]

@tinohager Pinging @IlCallo , which is the daddy of the q-testing suite :)

[IlCallo]

@tinohager sorry, I'm really busy these months

I'm trying to fix it, but I'm having an hard time understanding npm quirks

Edit: seems like I fixed it, check out latest release

[IlCallo]

I'm gonna assume the problem is solved and close this due to lack of response

[tinohager]

@IlCallo the issue has unfortunately not yet been resolved

quasar upgrade -i

Global Quasar CLI • Gathering information from the NPM registry (https://registry.npmjs.org/)...
Global Quasar CLI • Congrats! All Quasar packages are up to date (according to https://registry.npmjs.org/).

npm audit fix

braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - GHSA-grv7-fg5c-xmjg
fix available via npm audit fix
node_modules/jscodeshift/node_modules/braces
micromatch 0.2.0 - 3.1.10
Depends on vulnerable versions of braces
node_modules/jscodeshift/node_modules/micromatch
jscodeshift 0.3.20 - 0.13.1
Depends on vulnerable versions of micromatch
node_modules/jscodeshift

vue-template-compiler >=2.0.0
Severity: moderate
vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS) - GHSA-g3ch-rx76-35fx
fix available via npm audit fix --force
Will install @quasar/[email protected], which is a breaking change
node_modules/vue-template-compiler
vue-jscodeshift-adapter <=2.2.1
Depends on vulnerable versions of vue-template-compiler
node_modules/vue-jscodeshift-adapter
alias-hq >=4.1.0
Depends on vulnerable versions of jscodeshift
Depends on vulnerable versions of vue-jscodeshift-adapter
node_modules/alias-hq
@quasar/quasar-app-extension-testing-unit-jest >=3.0.0-alpha.1
Depends on vulnerable versions of alias-hq
node_modules/@quasar/quasar-app-extension-testing-unit-jest

7 vulnerabilities (3 moderate, 4 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

  "dependencies": {
    "@quasar/extras": "^1.16.12",
    "core-js": "^3.6.5",
    "pinia": "^2.0.11",
    "quasar": "^2.16.6",
    "vue": "^3.0.0",
    "vue-i18n": "^9.2.2",
    "vue-router": "^4.0.0"
  },
  "devDependencies": {
    "@quasar/app-webpack": "^3.13.2",
    "@quasar/quasar-app-extension-testing": "^2.2.0",
    "@quasar/quasar-app-extension-testing-unit-jest": "^3.0.2",
    "@types/node": "^12.20.21",
    "@typescript-eslint/eslint-plugin": "^5.10.0",
    "@typescript-eslint/parser": "^5.10.0",
    "@vue/test-utils": "^2.2.0",
    "eslint": "^8.10.0",
    "eslint-config-standard": "^17.0.0",
    "eslint-plugin-import": "^2.19.1",
    "eslint-plugin-jest": "^27.1.3",
    "eslint-plugin-n": "^15.0.0",
    "eslint-plugin-promise": "^6.0.0",
    "eslint-plugin-vue": "^9.0.0",
    "jest": "^29.2.2"
  },

[tinohager]

I have now created two quasar projects from scratch (webpack and vite).

After that I tried to add “quasar ext add @quasar/testing-unit-jest”.

webpack

quasar ext add @quasar/testing-unit-jest

 App • Installing "@quasar/testing-unit-jest" Quasar App Extension

 App • Installing @quasar/quasar-app-extension-testing-unit-jest...
 App • [sync] Running "npm install --save-dev @quasar/quasar-app-extension-testing-unit-jest" in C:\quasar-2024-07-31-test\quasar-webpack

npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead.
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm warn deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead.
npm warn deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm warn deprecated [email protected]: Use your platform's native atob() and btoa() methods instead
npm warn deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm warn deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm warn deprecated [email protected]: Use your platform's native DOMException instead

added 389 packages, and audited 1330 packages in 41s

221 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (3 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
? Jest Unit testing will now be installed. Please choose additional options:

 App • Updating /quasar.extensions.json for "@quasar/testing-unit-jest" extension ...
 App • Running App Extension install script...
 App • Installing dependencies...
 App • [sync] Running "npm install" in C:\quasar-2024-07-31-test\quasar-webpack

npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: [email protected]
npm error Found: @typescript-eslint/[email protected]
npm error node_modules/@typescript-eslint/eslint-plugin
npm error   dev @typescript-eslint/eslint-plugin@"^5.10.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peerOptional @typescript-eslint/eslint-plugin@"^6.0.0 || ^7.0.0" from [email protected]
npm error node_modules/eslint-plugin-jest
npm error   dev eslint-plugin-jest@"^28.6.0" from the root project
npm error   peerOptional eslint-plugin-jest@"^27.1.3 || ^28.0.0" from @quasar/[email protected]
npm error   node_modules/@quasar/quasar-app-extension-testing-unit-jest
npm error     dev @quasar/quasar-app-extension-testing-unit-jest@"^3.0.2" from the root project
npm error
npm error Conflicting peer dependency: @typescript-eslint/[email protected]
npm error node_modules/@typescript-eslint/eslint-plugin
npm error   peerOptional @typescript-eslint/eslint-plugin@"^6.0.0 || ^7.0.0" from [email protected]
npm error   node_modules/eslint-plugin-jest
npm error     dev eslint-plugin-jest@"^28.6.0" from the root project
npm error     peerOptional eslint-plugin-jest@"^27.1.3 || ^28.0.0" from @quasar/[email protected]
npm error     node_modules/@quasar/quasar-app-extension-testing-unit-jest
npm error       dev @quasar/quasar-app-extension-testing-unit-jest@"^3.0.2" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error C:\npm-cache\_logs\2024-07-31T12_38_59_165Z-eresolve-report.txt
npm error A complete log of this run can be found in: C:\npm-cache\_logs\2024-07-31T12_38_59_165Z-debug-0.log

 App • ⚠️  Command "npm" failed with exit code: 1

 App • ⚠️   FAIL  Failed to install dependencies

vite

quasar ext add @quasar/testing-unit-jest

 App • Installing "@quasar/testing-unit-jest" Quasar App Extension

 App • Installing @quasar/quasar-app-extension-testing-unit-jest...
 App • [sync] Running "npm install --save-dev @quasar/quasar-app-extension-testing-unit-jest" in C:\quasar-2024-07-31-test\quasar-vite

npm warn EBADENGINE Unsupported engine {
npm warn EBADENGINE   package: '[email protected]',
npm warn EBADENGINE   required: { node: '^18 || ^16 || ^14.19', npm: '>= 6.13.4', yarn: '>= 1.21.1' },
npm warn EBADENGINE   current: { node: 'v20.9.0', npm: '10.8.0' }
npm warn EBADENGINE }
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead.
npm warn deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @babel/[email protected]: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead.
npm warn deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm warn deprecated [email protected]: Use your platform's native atob() and btoa() methods instead
npm warn deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm warn deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm warn deprecated [email protected]: Use your platform's native DOMException instead

added 564 packages, changed 1 package, and audited 1073 packages in 32s

173 packages are looking for funding
  run `npm fund` for details

7 vulnerabilities (3 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
? Jest Unit testing will now be installed. Please choose additional options:

 App • Updating /quasar.extensions.json for "@quasar/testing-unit-jest" extension ...
 App • Running App Extension install script...

 App • ⚠️  Extension(@quasar/testing-unit-jest): Dependency not found - @quasar/app-webpack. Please install it.

[IlCallo]

You cannot use the Jest AE on a Vite project

That aside, try upgrading your @typescript-eslint/eslint-plugin, we possibly need to upgrade it into the create-quasar template to
I'm not sure about vue-template-compiler and vue-jscodeshift-adapter

Coming back to the project you're upgrading, have you tried to delete package-lock and re-installing?
There may be some transitional dependencies which aren't really under our control

[tinohager]

The basic problem is that it does not work with a new quasar project either. As long as this is the case, it will probably not work for my project either.

[tinohager]

In the Documentation of quasar "https://github.com/quasarframework/quasar/blob/dev/docs/src/pages/quasar-cli-vite/testing-and-auditing.md"

This part is wrong? quasar ext add @quasar/testing-unit-jest

Installing

$ cd your-quasar-project


$ quasar ext add @quasar/testing-e2e-cypress
# or
$ quasar ext add @quasar/testing-unit-jest
# or
$ quasar ext add @quasar/testing-unit-vitest

[tinohager]

It's unbelievable how many dependencies there are here
https://npmgraph.js.org/?q=@quasar/quasar-app-extension-testing-unit-jest#deps=devDependencies&color=outdated

[IlCallo]

Welcome to JS ecosystem, and Jest sub-ecosystem in particular :)
Not much we can do about the incredible number of packages honestly

---

I just tried creating a new Quasar TS project with Webpack using NPM
It indeed errors out due to TS version conflict, because of NPM resolution logic, which isn't really deterministic and keeps changing
It used to automatically hoist app-webpack TS version (4.9), now it's hoisting other dependencies one (5.5)
Strange out project creation tests didn't catch this

@rstoenescu we need to add an override field when using NPM to force the usage of the old TS version, since we cannot upgrade it in app-webpack-v3 due to fork-ts-checker-webpack-plugin new versions problems
Strange our project creation tests didn't catch this, it breaks right after creation, when running the linting command

Here's the fix to apply on the create-quasar template, I can commit it myself if you prefer

"overrides": {
    "typescript": "~4.9.5"
}

This is for pnpm instead

  "pnpm": {
    "overrides": {
      "typescript": "^4.9.4"
    }
  },

Yarn seems to do fine without overrides or resolutions fields

This should be the package.json where to add the fix: https://github.com/quasarframework/quasar/blob/dev/create-quasar/templates/app/quasar-v2/ts-webpack-3/BASE/_package.json

That said, a couple ESLint related to TS deps are too old, that's why there are problems when installing Jest AE
We need to bump @typescript-eslint/eslint-plugin and @typescript-eslint/parser to v6, v7 at most, but NOT v8

Here are the dependencies to bump
https://github.com/quasarframework/quasar/blob/05de37b7a24196152e18e8e4328ed06734d56ca6/create-quasar/templates/app/quasar-v2/ts-webpack-3/BASE/_package.json#L29-L30

---

Then I added Jest AE and I indeed got the reported vulnerabilities you mentioned
Seems like all of them come from alias-hq dependency, as you discovered already, so the best course of action would be to open a PR at their repo proposing a fix

The problem doesn't seem that severe to me, since it's a problem related to unit testing and it won't affect the app at runtime
Let's wait for them to bump their deps, then we'll follow up and bump ours accordingly

---

Reference: davestewart/alias-hq#77

[IlCallo]

@tinohager

Notice that the problems here come from really old packages deep into the JS ecosystem

https://github.com/facebook/jscodeshift is currently trying to get back on track after years without an official maintainer
https://github.com/micromatch/braces has been barely mantained since more than 5 years

On top of that, many of these vulnerabilities aren't really exploitable if not in super rare cases, as braces maintainer points out here
Check out this discussion too

I guess the whole ecosystem needs a major overhaul to fix these kind of stuff, which are way out of our scope and possibilities

The patched versions don't seem to have breaking changes aside being rewritten in ESM so you can try adding overrides to avoid those reports and see if everything works fine

"overrides": {
    "vue-jscodeshift-adapter": "^3.0.0",
    "micromatch": "^4.0.7"
  },

If they do, we could consider making the AE automatically add it when using NPM, but it's additional complexity for a minimal risk, so I'm not sure we actually want to take care of it

vue-template-compiler isn't really patchable, since there isn't a new version for it and we cannot bump fork-ts-checker-webpack-plugin anyway due to other constraints

[tinohager]

Is this a pure NPM problem, would I be better off with yarn?

The package dependencies and possible attacks on the dependencies are probably becoming an increasingly important topic.

I also believe that there is a need to catch up here in the future. The question is how we deal with it at the moment. As a responsible developer, I naturally don't want to ignore the warnings and think that nothing will happen.

[IlCallo]

yarn doesn't even have the linting problem

Both yarn and pnpm will report the same vulnerabilities, but that's not the point
These "fake" vulnerabilities are the problem

That said, the overrides will fix vulnerabilities, except than for NPM which complains about vue-template-compiler randomly

[tinohager]

Are there alternatives if the package no longer receives an update?

[IlCallo]

We haven't explored that, but if there is a possible replacement to avoid the vulnerability disclaimer, we can try that

[tinohager]

alias-hq has released a new version
davestewart/alias-hq#77

[IlCallo]

Released v3.0.3 bumping that dependency, but vue-jscodeshift-adapter still uses an older version of it, so it didn't change much

[tinohager]

I have added the information to the maintainer again
davestewart/alias-hq#77

[IlCallo]

Thanks!