Problem/Motivation

The menu_item_extras module includes a demo submodule (mie_demo_base) containing a package-lock.json file with a transitive dependency on vulnerable versions of the fsevents npm package (>=1.0.0, <1.2.11). GitHub Dependabot reports this as a malware advisory (GHSA-xv2f-5jw4-v95m). 

The issue originates from outdated frontend build dependencies used by the demo submodule, including gulp-watch, webpack, and webpack-stream, which transitively require fsevents 1.x. 

Although the affected demo submodule is not enabled or used in production Drupal sites, the vulnerable dependency still appears in automated security scanning tools such as Dependabot and enterprise security dashboards.

Steps to reproduce

1. Install the menu_item_extras module.
2. Run a GitHub Dependabot or npm security scan against the repository.
3. Observe the malware advisory for fsevents in:
modules/mie_demo_base/package-lock.json
4. The advisory reports affected versions:
fsevents >=1.0.0, <1.2.11 

Proposed resolution

Update the demo submodule frontend dependencies so that the generated package-lock.json no longer references vulnerable fsevents 1.x versions.

Possible approaches:

* Regenerate the lockfile using newer dependency versions.
* Explicitly upgrade fsevents to 1.2.11 or later.
* Remove unused frontend/demo build dependencies entirely if they are no longer required.
* Consider removing committed demo build artifacts or lockfiles if they are unnecessary for the module.

Remaining tasks

* Create and test a patch updating the affected dependencies.
* Verify Dependabot/security scans no longer report the advisory.
* Validate that demo submodule assets still build successfully (if still maintained).
* Open merge request / commit patch to the project issue queue.

User interface changes

None.

API changes

None.

Data model changes

None.

Comments

munizjor created an issue.