npm install reports "36 low level vulnerabilities"

[slimandslam]

Describe the bug
Doing an "npm install" with the latest version of aws-amplify yields "36 low-level vulnerabilities". Using Nodejs version 15.6.0 and npm 7.4.0

To Reproduce
Use this perfunctory package.json file:

{
  "name": "MyApp",
  "version": "0.4.0",
  "private": true,
  "dependencies": {
    "aws-amplify": "^3.3.17"
  },
  "scripts": {
    "start": "react-scripts start",
    "build": "react-scripts build",
    "test": "react-scripts test",
    "eject": "react-scripts eject"
  },
  "browserslist": {
    "production": [
      ">0.2%",
      "not dead",
      "not op_mini all"
    ],
    "development": [
      "last 1 chrome version",
      "last 1 firefox version",
      "last 1 safari version"
    ]
  }
}

Type $ npm install with Nodejs installed.

Expected behavior
I expect the output to be "0 low-level vulnerabilities"

[slimandslam]

Updated to v3.3.17 -- same thing.

[eriksendc]

Hey @slimandslam I'm running into low level vulnerabilities, but I'm on 3.3.25. On 3.3.25 I'm getting 7, and npm audit shows the following:

# npm audit report

xmldom  <0.5.0
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1650
fix available via `npm audit fix`
node_modules/xmldom
  plist  >=0.3.2
  Depends on vulnerable versions of xmldom
  node_modules/plist
    @react-native-community/cli-platform-ios  *
    Depends on vulnerable versions of plist
    Depends on vulnerable versions of xcode
    node_modules/@react-native-community/cli-platform-ios
      react-native  <=0.0.0-ffdfbbec0 || >=0.62.1
      Depends on vulnerable versions of @react-native-community/cli
      Depends on vulnerable versions of @react-native-community/cli-platform-ios
      node_modules/react-native
        @react-native-community/cli  >=5.0.0-alpha.0
        Depends on vulnerable versions of react-native
        node_modules/@react-native-community/cli
    simple-plist  *
    Depends on vulnerable versions of plist
    node_modules/simple-plist
      xcode  >=0.8.3
      Depends on vulnerable versions of simple-plist
      node_modules/xcode

7 low severity vulnerabilities

[slimandslam]

I guess that's an improvement (?) :-D

[eriksendc]

@slimandslam Definitely an improvement, but some stakeholders of mine wish things were squeeky clean. (Zero vulnerabilities.)

[TheVirtuoid]

To add to this older thread:

I am revisiting Amplify after a year and a half for a new project.

I just ran npm install -g @aws-amplify/cli and received a whole host of vulnerabilities. The entire list is:

npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated graphql-import@0.7.1: GraphQL Import has been deprecated and merged into GraphQL Tools, so it will no longer get updates. Use GraphQL Tools instead to stay up-to-date! Check out https://www.graphql-tools.com/docs/migration-from-import for migration and https://the-guild.dev/blog/graphql-tools-v6 for new changes.
npm WARN deprecated event-to-promise@0.8.0: Use promise-toolbox/fromEvent instead
npm WARN deprecated @graphql-toolkit/common@0.9.7: GraphQL Toolkit is deprecated and merged into GraphQL Tools, so it will no longer get updates. Use GraphQL Tools instead to stay up-to-date! Check out https://www.graphql-tools.com/docs/migration-from-toolkit for migration and https://the-guild.dev/blog/graphql-tools-v6 for new changes.
npm WARN deprecated @graphql-toolkit/common@0.9.7: GraphQL Toolkit is deprecated and merged into GraphQL Tools, so it will no longer get updates. Use GraphQL Tools instead to stay up-to-date! Check out https://www.graphql-tools.com/docs/migration-from-toolkit for migration and https://the-guild.dev/blog/graphql-tools-v6 for new changes.
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated @graphql-toolkit/common@0.6.6: GraphQL Toolkit is deprecated and merged into GraphQL Tools, so it will no longer get updates. Use GraphQL Tools instead to stay up-to-date! Check out https://www.graphql-tools.com/docs/migration-from-toolkit for migration and https://the-guild.dev/blog/graphql-tools-v6 for new changes.
npm WARN deprecated graphql-tools@4.0.8: This package has been deprecated and now it only exports makeExecutableSchema.\nAnd it will no longer receive updates.\nWe recommend you to migrate to scoped packages such as @graphql-tools/schema, @graphql-tools/utils and etc.\nCheck out https://www.graphql-tools.com to learn what package you should use instead
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.
npm WARN deprecated core-js@2.6.12: core-js@<3.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Please, upgrade your dependencies to the actual version of core-js.

added 1414 packages, and audited 1422 packages in 1m

45 packages are looking for funding
  run `npm fund` for details

42 vulnerabilities (15 low, 11 moderate, 16 high)

Running:
npm: 7.16.0
node: 16.4.0
amplify: 5.3.0 (fresh install)

I have never installed Amplify on this machine.

Is any work being done to mitigate all these vulnerabilities? Frankly, I would be hesitant to use it for any project. Which is a shame - the Authentication feature and its integration with Vue was great the last time I used it. :)

[david-mcafee]

Related discussion: https://github.com/aws-amplify/amplify-js/discussions/7569

[aws-eddy]

@TheVirtuoid, we definitely hear you and we (I) have opened an issue for the cli team to take a look at here: aws-amplify/amplify-cli#8178. I am going to see if I can improve this for both CLI and JS. Thank you for bringing this to our attention.

[irSteve]

We're close to the end of January 2022 - about a year later. Still seems like an issue.

A fresh install of aws-amplify results in 26 vulnerabilities (6 moderate, 20 high). My clients are concerned with this result and therefore question the quality of Amplify.

npm install aws-amplify
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.3.2: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uglify-es@3.3.9: support for ECMAScript is superseded by `uglify-js` as of v3.13.0

added 1069 packages, and audited 1070 packages in 30s

28 packages are looking for funding
  run `npm fund` for details

26 vulnerabilities (6 moderate, 20 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

By contrast, the widely used create-react-app results in ZERO (0) vulnerabilities.

Would it be possible to get an eta on a resolution from the team?

[acomanescu]

Today, 9 Feb, with the version "aws-amplify": "^4.3.14" there are 11 moderate severity vulnerabilities. There's progress, but we need a stable version.

[nickyoung87]

October 2022 and still seeing this.