Outdated packages with vulnerabilities

[peter-stewart-thg]

We've been using this package for a number of years, but are currently seeing issues flagged up by dependabot.
Many of the NPM packages are outdated and have vulnerabilities.

Currently we're seeing 100 vulnerabilities:

• Critical: 13
• High: 54
• Moderate: 24
• Low: 9

I've started auditing the package to see if I can easily resolve these vulnerabilities, however, currently I'm seeing a number of deprecated packages used, so some if not all of these will need to be replaced.
There are also a number of packages that are no longer maintained.

We would like to continue using the package, however, these security vulnerabilities make that not an option for us at the moment.

I aim to complete my audit of the packages today, and will update this issue with my findings.
I will then see how feasible it is to resolve the vulnerabilities.

Do you plan to continue maintaining this package?
Is anyone else working on updating these packages?

If the package is going to be maintained,
I'm happy to help resolve these issues and get it back up and running.
Also, if there is someone who knows the package well, it would be very helpful to be able to discuss the packages that are currently used.

[peter-stewart-thg]

I have been going through the packages this morning, and here is my initial analysis:

NPM Packages

Dev Dependencies

• autoprefixer
  NPM: https://www.npmjs.com/package/autoprefixer
  GitHub: https://github.com/postcss/autoprefixer
  Last updated: 3 years ago
  Current version: ^7.1.6
  Latest version: 10.4.14
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• babel-core
  NPM: https://www.npmjs.com/package/babel-core
  GitHub: https://github.com/babel/babel
  Last updated: 7 years ago
  Current version: ^6.25.0
  Latest version: 6.26.3
  Vulnerabilities: 2 Critical
  Deprecated: Yes
  Alternative: https://www.npmjs.com/package/@babel/core

• babel-eslint
  NPM: https://www.npmjs.com/package/babel-eslint
  GitHub: https://github.com/babel/babel-eslint
  Last updated: 5 years ago
  Current version: ^7.2.3
  Latest version: 10.1.0
  Vulnerabilities: 2 Critical
  Deprecated: Yes
  Alternative: https://www.npmjs.com/package/@babel/eslint-parser

• babel-jest
  NPM: https://www.npmjs.com/package/babel-jest
  GitHub: https://github.com/facebook/jest
  Last updated: 4 months ago
  Current version: ^20.0.3
  Latest version: 29.7.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• babel-loader
  NPM: https://www.npmjs.com/package/babel-loader
  GitHub: https://github.com/babel/babel-loader
  Last updated: 3 months ago
  Current version: ^7.1.1
  Latest version: 9.1.3
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• babel-plugin-dynamic-import-webpack
  NPM: https://www.npmjs.com/package/babel-plugin-dynamic-import-webpack
  GitHub: https://github.com/airbnb/babel-plugin-dynamic-import-webpack
  Last updated: 6 years ago
  Current version: ^1.0.2
  Latest version: 1.1.0
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: N/A

• babel-plugin-lodash
  NPM: https://www.npmjs.com/package/babel-plugin-lodash
  GitHub: https://github.com/lodash/babel-plugin-lodash
  Last updated: 7 years ago
  Current version: ^3.2.11
  Latest version: 3.3.4
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• babel-plugin-transform-object-assign
  NPM: https://www.npmjs.com/package/babel-plugin-transform-object-assign
  GitHub: https://github.com/babel/babel
  Last updated: 7 years ago
  Current version: ^6.22.0
  Latest version: 6.26.0
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: @babel/plugin-transform-runtime

• babel-plugin-transform-object-rest-spread
  NPM: https://www.npmjs.com/package/babel-plugin-transform-object-rest-spread
  GitHub: https://github.com/babel/babel
  Last updated: 7 years ago
  Current version: ^6.26.0
  Latest version: 6.26.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: Use native ECMAScript 6

• babel-preset-airbnb
  NPM: https://www.npmjs.com/package/babel-preset-airbnb
  Last updated: 5 years ago
  Current version: ^2.4.0
  Latest version: 5.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: Use @babel/preset-env

• babel-preset-env
  NPM: https://www.npmjs.com/package/babel-preset-env
  GitHub: https://github.com/babel/babel-preset-env
  Last updated: 7 years ago
  Current version: ^1.6.0
  Latest version: 1.7.0
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use @babel/preset-env

• babel-preset-es2015
  NPM: https://www.npmjs.com/package/babel-preset-es2015
  GitHub: https://github.com/babel/babel
  Last updated: 5 years ago
  Current version: ^6.24.1
  Latest version: 6.24.1
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use @babel/preset-env

• babel-preset-react
  NPM: https://www.npmjs.com/package/babel-preset-react
  GitHub: https://github.com/babel/babel
  Last updated: 7 years ago
  Current version: ^6.24.1
  Latest version: 6.24.1
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use @babel/preset-react

• babel-runtime
  NPM: https://www.npmjs.com/package/babel-runtime
  GitHub: https://github.com/babel/babel
  Last updated: 7 years ago
  Current version: ^6.23.0
  Latest version: 6.26.0
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use @babel/runtime

• css-loader
  NPM: https://www.npmjs.com/package/css-loader
  GitHub: https://github.com/webpack-contrib/css-loader
  Last updated: 7 months ago
  Current version: ^0.28.7
  Latest version: 7.1.2
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• eslint
  NPM: https://www.npmjs.com/package/eslint
  GitHub: https://github.com/eslint/eslint
  Last updated: 4 days ago
  Current version: ^4.3.0
  Latest version: 9.17.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• eslint-config-airbnb-base
  NPM: https://www.npmjs.com/package/eslint-config-airbnb-base
  GitHub: https://github.com/airbnb/javascript/tree/master/packages/eslint-config-airbnb-base
  Last updated: 3 years ago
  Current version: ^11.3.0
  Latest version: 15.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• eslint-loader
  NPM: https://www.npmjs.com/package/eslint-loader
  GitHub: https://github.com/webpack-contrib/eslint-loader
  Last updated: 3 years ago
  Current version: ^1.9.0
  Latest version: 4.0.2
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: https://www.npmjs.com/package/eslint-webpack-plugin

• eslint-plugin-import
  NPM: https://www.npmjs.com/package/eslint-plugin-import
  GitHub: https://github.com/import-js/eslint-plugin-import
  Last updated: 2 months ago
  Current version: ^2.7.0
  Latest version: 2.31.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• eslint-plugin-jest
  NPM: https://www.npmjs.com/package/eslint-plugin-jest
  GitHub: https://github.com/jest-community/eslint-plugin-jest
  Last updated: 1 month ago
  Current version: ^20.0.3
  Latest version: 28.9.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• eslint-plugin-react
  NPM: https://www.npmjs.com/package/eslint-plugin-react
  GitHub: https://github.com/jsx-eslint/eslint-plugin-react
  Last updated: 2 months ago
  Current version: ^7.4.0
  Latest version: 7.37.2
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• exports-loader
  NPM: https://www.npmjs.com/package/exports-loader
  GitHub: https://github.com/webpack-contrib/exports-loader
  Last updated: 1 year ago
  Current version: ^0.6.4
  Latest version: 5.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• extract-text-webpack-plugin
  NPM: https://www.npmjs.com/package/extract-text-webpack-plugin
  GitHub: https://github.com/webpack-contrib/extract-text-webpack-plugin
  Last updated: 7 years ago
  Current version: ^3.0.0
  Latest version: 3.0.2
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use https://www.npmjs.com/package/mini-css-extract-plugin

• jest
  NPM: https://www.npmjs.com/package/jest
  GitHub: https://github.com/facebook/jest
  Last updated: 4 months ago
  Current version: ^20.0.4
  Latest version: 29.7.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• node-sass
  NPM: https://www.npmjs.com/package/node-sass
  GitHub: https://github.com/sass/node-sass
  Last updated: 2 years ago
  Current version: ^4.5.3
  Latest version: 9.0.0
  Vulnerabilities: 3 Moderate
  Deprecated: Yes
  Alternative: Use https://www.npmjs.com/package/sass

• postcss-loader
  NPM: https://www.npmjs.com/package/postcss-loader
  GitHub: https://github.com/webpack-contrib/postcss-loader
  Last updated: 10 months ago
  Current version: ^2.0.8
  Latest version: 8.1.1
  Vulnerabilities: 4 Moderate
  Deprecated: No
  Alternative: N/A

• sass-loader
  NPM: https://www.npmjs.com/package/sass-loader
  GitHub: https://github.com/webpack-contrib/sass-loader
  Last updated: 13 days ago
  Current version: ^6.0.6
  Latest version: 16.0.4
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• sass-module-importer
  NPM: https://www.npmjs.com/package/sass-module-importer
  GitHub: https://github.com/maoberlehner/node-sass-magic-importer
  Last updated: 8 years ago
  Current version: ^1.4.0
  Latest version: 1.4.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: This probably isn't needed as modules can be imported

• sass-mq
  NPM: https://www.npmjs.com/package/sass-mq
  GitHub: https://github.com/sass-mq/sass-mq
  Last updated: 2 months ago
  Current version: ^3.3.2
  Latest version: 6.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• style-loader
  NPM: https://www.npmjs.com/package/style-loader
  GitHub: https://github.com/webpack-contrib/style-loader
  Last updated: 8 months ago
  Current version: ^0.18.2
  Latest version: 4.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• stylelint
  NPM: https://www.npmjs.com/package/stylelint
  GitHub: https://github.com/stylelint/stylelint
  Last updated: 2 days ago
  Current version: ^8.2.0
  Latest version: 16.12.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• stylelint-scss
  NPM: https://www.npmjs.com/package/stylelint-scss
  GitHub: https://github.com/stylelint-scss/stylelint-scss
  Last updated: 1 month ago
  Current version: ^2.1.0
  Latest version: 6.10.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• webpack
  NPM: https://www.npmjs.com/package/webpack
  GitHub: https://github.com/webpack/webpack
  Last updated: 12 days ago
  Current version: ^3.3.0
  Latest version: 5.97.1
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

---

Dependencies

• brace
  NPM: https://www.npmjs.com/package/brace
  GitHub: https://github.com/thlorenz/brace
  Last updated: 7 years ago
  Current version: ^0.11.1
  Latest version: 0.11.1
  Vulnerabilities: 2 High, 3 Low
  Deprecated: No
  Alternative: Perhaps remove this, as I'm nopt sure it's really needed

• core-js
  NPM: https://www.npmjs.com/package/core-js
  GitHub: https://github.com/zloirock/core-js
  Last updated: 2 months ago
  Current version: ^2.5.1
  Latest version: 3.39.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: Upgrade to core-js v3

• custom-event-polyfill
  NPM: https://www.npmjs.com/package/custom-event-polyfill
  GitHub: https://github.com/krambuhl/custom-event-polyfill
  Last updated: 6 years ago
  Current version: ^0.3.0
  Latest version: 1.0.7
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: I'm not sure this is still needed

• draft-convert
  NPM: https://www.npmjs.com/package/draft-convert
  GitHub: https://github.com/HubSpot/draft-convert
  Last updated: 2 years ago
  Current version: ^2.0.0
  Latest version: 2.1.13
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• draft-js
  NPM: https://www.npmjs.com/package/draft-js
  GitHub: https://github.com/facebook/draft-js
  Last updated: 4 years ago
  Current version: ^0.10.3
  Latest version: 0.11.7
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• draft-js-export-html
  NPM: https://www.npmjs.com/package/draft-js-export-html
  GitHub: https://github.com/sstur/draft-js-export-html
  Last updated: 5 years ago
  Current version: ^1.2.0
  Latest version: 1.4.1
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• immutable
  NPM: https://www.npmjs.com/package/immutable
  GitHub: https://github.com/immutable-js/immutable-js
  Last updated: 1 month ago
  Current version: ^3.8.2
  Latest version: 5.0.3
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• js-beautify
  NPM: https://www.npmjs.com/package/js-beautify
  GitHub: https://github.com/beautify-web/js-beautify
  Last updated: 10 months ago
  Current version: ^1.7.5
  Latest version: 1.15.1
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• lodash-es
  NPM: https://www.npmjs.com/package/lodash-es
  GitHub: https://github.com/lodash/lodash
  Last updated: 4 years ago
  Current version: ^4.17.21
  Latest version: 4.17.21
  Vulnerabilities: 1 Critical, 2 High, 2 Moderate
  Deprecated: No
  Alternative: These issues are mainly due to Redux depending on an older version

• moment
  NPM: https://www.npmjs.com/package/moment
  GitHub: https://github.com/moment/moment
  Last updated: 1 year ago
  Current version: ^2.20.1
  Latest version: 2.30.1
  Vulnerabilities: 2 High
  Deprecated: No
  Alternative: Use dayjs

• prop-types
  NPM: https://www.npmjs.com/package/prop-types
  GitHub: https://github.com/facebook/prop-types
  Last updated: 3 years ago
  Current version: ^15.6.0
  Latest version: 15.8.1
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• react
  NPM: https://www.npmjs.com/package/react
  GitHub: https://github.com/facebook/react
  Last updated: 12 days ago
  Current version: ^16.0.0
  Latest version: 19.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• react-ace
  NPM: https://www.npmjs.com/package/react-ace
  GitHub: https://github.com/securingsincity/react-ace
  Last updated: 2 months ago
  Current version: ^5.9.0
  Latest version: 13.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• react-dom
  NPM: https://www.npmjs.com/package/react-dom
  GitHub: https://github.com/facebook/react
  Last updated: 12 days ago
  Current version: ^16.0.0
  Latest version: 19.0.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• react-loadable
  NPM: https://www.npmjs.com/package/react-loadable
  GitHub: https://github.com/jamiebuilds/react-loadable
  Last updated: 6 years ago
  Current version: ^5.4.0
  Latest version: 5.5.0
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use React.lazy and Suspense

• react-redux
  NPM: https://www.npmjs.com/package/react-redux
  GitHub: https://github.com/reduxjs/react-redux
  Last updated: 6 days ago
  Current version: ^5.0.6
  Latest version: 9.2.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: N/A

• react-select
  NPM: https://www.npmjs.com/package/react-select
  GitHub: https://github.com/JedWatson/react-select
  Last updated: 6 days ago
  Current version: ^1.1.0
  Latest version: 5.9.0
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: Upgrade to v5

• redux
  NPM: https://www.npmjs.com/package/redux
  GitHub: https://github.com/reduxjs/redux
  Last updated: 3 years ago
  Current version: ^3.7.2
  Latest version: 5.0.1
  Vulnerabilities: 1 Critical, 2 High, 2 Moderate
  Deprecated: No
  Alternative: N/A

• redux-devtools-extension
  NPM: https://www.npmjs.com/package/redux-devtools-extension
  GitHub: https://github.com/zalmoxisus/redux-devtools-extension
  Last updated: 4 years ago
  Current version: ^2.13.2
  Latest version: 2.13.9
  Vulnerabilities: None reported
  Deprecated: Yes
  Alternative: Use @redux-devtools/extension

• redux-observable
  NPM: https://www.npmjs.com/package/redux-observable
  GitHub: https://github.com/redux-observable/redux-observable
  Last updated: 3 years ago
  Current version: ^0.16.0
  Latest version: 3.0.0-rc.2
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: This is no longer maintained, but considered stable

• rxjs
  NPM: https://www.npmjs.com/package/rxjs
  GitHub: https://github.com/reactivex/rxjs
  Last updated: 1 year ago
  Current version: ^5.4.3
  Latest version: 7.8.1
  Vulnerabilities: None reported
  Deprecated: No
  Alternative: Upgrade to RxJS 7

[peter-stewart-thg]

I will now see if I can get these issue resolved and create a pull request if I'm successful.

[peter-stewart-thg]

I've now updated all the packages and resolved all related issue.
The PR is here: #701

There are a few deprecation warning related to 'sass-mq' as the package is using some method that are soon to be removed from 'sass'.

As far as I can tell, though, the whole package builds and all the npm scripts are working as expected.
I did need to rewrite quite a lot of the code, and I haven't fully tested the package on WordPress, so there might be some changes needed, but hopefully this is a good start.

Let me know if you have any questions.

[peter-stewart-thg]

I have just made a few more changes to this after testing the package in our WordPress install.
Unfortunately the changes are not quite functioning as intended.

I have just update how "react-select/async" and ajax from "rxjs" are used to bring them inline with the latests packages, however, it's still not working perfectly.

I might not have any more time to work on this, so if anyone else is able to take this on, please let me know.