Highlight.js: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue

Created on 25 Feb 2019  路  10Comments  路  Source: highlightjs/highlight.js

When installing this package via NPM, I get the following warnings and errors:
npm install highlight.js vue-highlight.js

npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Use uuid module instead
npm WARN deprecated [email protected]: The major version is no longer supported. Please update to 4.x or newer
npm ERR! path /Users/*/node_modules/highlight.js/tools/build.js
npm ERR! code ENOENT
npm ERR! errno -2
npm ERR! syscall chmod
npm ERR! enoent ENOENT: no such file or directory, chmod '/Users/
*/node_modules/highlight.js/tools/build.js'
npm ERR! enoent This is related to npm not being able to find a file.

This is not vue-highlight.js issue.

Most helpful comment

Yeah I'm facing the same problem and I'm not using vue at all.

All 10 comments

same issue faced

Yeah I'm facing the same problem and I'm not using vue at all.

Duplicate of #1984

I think this may have been erroneously marked as a duplicate when 9.15+ was having install issues. The package installs fine now (woot thanks!), but...

9.14.2 had no dependency deprecation warnings, whereas 9.15.5 when installed without any other packages reports:

npm install highlight.js
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Use uuid module instead
npm WARN deprecated [email protected]: The major version is no longer supported. Please update to 4.x or newer

This then results in npm audit reporting 25 vulnerabilities (6 low, 11 moderate, 8 high). Some of these packages look to only be used in tools or tests - do they need to be shipped as dependencies, creating these audit issues?

Actually looks like this may be a duplicate-ish of #1369, sorry. It wasn't a big issue in the past as the build deps weren't shipped with the release, but that seems to have changed with 9.15.x.

Can leave this open and close it when we actually deal with #1369.

Fixed in 9.15.6

Thank you! @marcoscaceres

As a bonus, we fixes all the outdated dependencies by forking gear and gear-lib :) We only have 1 low severity security warning 馃帀

You guys worked very well, I will go ahead with highlight.js
Thank you!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ghost picture ghost  路  3Comments

goloroden picture goloroden  路  3Comments

Suyash2810 picture Suyash2810  路  8Comments

wooorm picture wooorm  路  6Comments

Lestoroer picture Lestoroer  路  7Comments