Babel CLI vulnerability in Javascript ES6 generator

[freemanchen]

Description

The babel upgrades done to the Javascript Flowtyped generator are needed in the Javascript ES6 generator as well. The 6.26.0 version of babel-cli causes a lot of npm audit vulnerabilities

openapi-generator version

Using the latest 4.0.3 release, ES6 Javascript generator

OpenAPI declaration file content or url

Command line used for generation

Running the following command in a CI step:

OPENAPI_GENERATOR_VERSION=4.0.3 \
  openapi-generator-cli generate \
  -i $OPENAPI_SPEC \
  -g javascript \
  -o $HOME/temp-build/codegen/ \
  --additional-properties usePromises=true \
  --additional-properties projectName="[...]" \
  --additional-properties modelPropertyNaming="camelCase"

Running an npm audit returns many vulnerabilities similar to the following:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ braces                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.3.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ babel-cli                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/786                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Steps to reproduce

1. Generate an ES6 Javascript client
2. Run npm install
3. npm audit will warn about vulnerabilities due to dependencies of babel-cli

Related issues/PRs

#3121

Fixed for Javascript-Flowtyped generator in this previous PR by upgrading to @babel/cli: ^7.0.0 along with other related packages.

Suggest a fix/enhancement

Upgrade the same babel packages for the Javascript ES6 generator here: https://github.com/OpenAPITools/openapi-generator/blob/master/modules/openapi-generator/src/main/resources/Javascript/es6/package.mustache

[auto-labeler]

👍 Thanks for opening this issue!
🏷 I have applied any labels matching special text in your issue.

The team will review the labels and make any necessary changes.

[macjohnny]

@freemanchen would you like to file a PR?

[freemanchen]

@macjohnny Sure, but I probably won't get around to it until Monday.

[freemanchen]

@macjohnny PR has been created. Thanks.

[macjohnny]

@freemanchen thanks a lot!