Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
Run "npm audit ----omit=dev" on command line and the result is as below:
nvm version 22.22
# npm audit report
immutable 4.0.0-rc.1 - 4.3.7
Severity: high
Immutable is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-wf6x-7x77-mvgw
fix available via `npm audit fix`
node_modules/immutable
nanoid <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid
picomatch <=2.3.1
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped
in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss
4 vulnerabilities (2 moderate, 2 high)
Proposed resolution
Run `npm audit fix` to fix all vulnerabilities
Issue fork gin-3589411
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
queenielow commentedComment #5
jurgenhaasThis isn't a bug and it's not major either. Those packages only get used in dev environments and never in production.
But still, it's worth updating them. However, that requires a few more steps:
Please, only set the issue to NR if pipelines are green.