GitHub generates security alerts on yarn.lock for acorn and clean-css for fresh project generated by npx express-generator --view=pug #258
Description
First, create a new GitHub repo with .gitignore set to Node.
Then run npx express-generator --view=pug and push the results:
~ $ git clone [email protected]:codingthat/express-generator-test.git
Cloning into 'express-generator-test'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (3/3), done.
~ $ cd express-generator-test/
~/express-generator-test (master) $ npx express-generator --view=pug
npx: installed 10 in 1.989s
destination is not empty, continue? [y/N] y
create : public/
create : public/javascripts/
create : public/images/
create : public/stylesheets/
create : public/stylesheets/style.css
create : routes/
create : routes/index.js
create : routes/users.js
create : views/
create : views/error.pug
create : views/index.pug
create : views/layout.pug
create : app.js
create : package.json
create : bin/
create : bin/www
install dependencies:
$ npm install
run the app:
$ DEBUG=express-generator-test:* npm start
~/express-generator-test (master) $ yarn
yarn install v1.22.4
info No lockfile found.
[1/4] Resolving packages...
warning pug > pug-code-gen > constantinople > babel-types > babel-runtime > [email protected]: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
[2/4] Fetching packages...
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
Done in 7.49s.
~/express-generator-test (master) $ git add .
~/express-generator-test (master) $ git commit -m "Default project"
[master 7f62013] Default project
10 files changed, 1009 insertions(+)
create mode 100644 app.js
create mode 100755 bin/www
create mode 100644 package.json
create mode 100644 public/stylesheets/style.css
create mode 100644 routes/index.js
create mode 100644 routes/users.js
create mode 100644 views/error.pug
create mode 100644 views/index.pug
create mode 100644 views/layout.pug
create mode 100644 yarn.lock
~/express-generator-test (master) $ git push
Counting objects: 17, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (14/14), done.
Writing objects: 100% (17/17), 15.42 KiB | 1.93 MiB/s, done.
Total 17 (delta 1), reused 0 (delta 0)
remote: Resolving deltas: 100% (1/1), done.
To github.com:codingthat/express-generator-test.git
c10c6c2..7f62013 master -> master
~/express-generator-test (master) $ Back at GitHub, you'll see this:
Clicking the button to view alerts will show these two:
acorn
The acorn one seems to not even be automatically fixable:
Clicking the details link gives a short message entitled "Dependabot cannot update to the required version":
Dependabot cannot create a pull request as one or more other dependencies require a version that is incompatible with this update.
clean-css
Likewise, clean-css can't be fixed:
The details link shows the same short message as for acorn.
It's not immediately clear from looking at yarn.lock what the original dependencies even are, and acorn and clean-css are not present in package.json, so they probably need to be manually traced. It's also not clear what the conflict is from the short message on GitHub.