Security vulnerability due to npm scripts

[kulbhushanchand]

Recently github pages reported vulnerability in the minimal-mistakes theme. Screenshot below

npm has also issued security advisory for the same - mixin-deep and set-value

I tried solving this by adding the latest updated version of mixin-deep and set-value in the package.json file (top most level in hierarchy) overriding the use of these packages by any of dependent packages elsewhere.

"mixin-deep": "^2.0.1",
"set-value": "^3.0.1"

Unfortunately the above warning by github pages is still displaying, probably because of following error

Is anyone facing the same issue?

[mmistakes]

Looks like it's the onchange package that is using mixin-deep and set-value dependencies. Since this dependency is only used in the npm run watch:js script for local development and in no way affects the security of your actual site I don't think it's that big of an issue.

That said, just update onchange to version 6 and that will fix the security audit as it appears to not use those outdated packages.

1. In package.json change your devDependencies to

   "devDependencies": {
    "npm-run-all": "^4.1.5",
    "onchange": "^6.0.0",
    "uglify-js": "^3.4.9"
   },

2. Remove node_modules folder and package-lock.json
3. Run npm install

[kulbhushanchand]

Thank you for your quick support. Issue is fixed. :

May I ask how you got this

• as it appears to not use those outdated packages.

because in the chain of packages from onchange to mixin-deep, there are many intermediate packages. How you know if any one of them is not hardly dependent on any unsecured version of mixin-deep?

[mmistakes]

When I ran npm audit it showed what packages were using the insecure ones. And even if that didn't output anything useful, there are only 3 devDependencies used, so it would have been trivial to pull up each on https://www.npmjs.com/ to see their dependencies.

[kulbhushanchand]

What if base depends on the older conflicting version of mixin-deep.
even the npmjs page doesn't tells this.

[mmistakes]

No idea. This isn't my area of expertise.