Unable to solve vulnerability dependencies on quasar

[neotherack]

Hello,

$ node -v
v22.14.0
$ npm -v
11.7.0

I'm working long time ago with quasar, since old times but now I got an automated report from github about my app.
It shows dependencies vulnerabilities which it seems it's not possible to solve using quasar and npm.

This is an extract of my upgrade attempts.

<>$ quasar upgrade

Global Quasar CLI • Gathering information from the NPM registry (https://registry.npmjs.org/)...

Global Quasar CLI • Congrats! All Quasar packages are up to date (according to https://registry.npmjs.org/).

<>$ quasar upgrade --install

Global Quasar CLI • Gathering information from the NPM registry (https://registry.npmjs.org/)...

Global Quasar CLI • Congrats! All Quasar packages are up to date (according to https://registry.npmjs.org/).

<>$ npm install --save vue@3 vue-router@4

added 2 packages, and audited 1066 packages in 6s

241 packages are looking for funding
run npm fund for details

12 low severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.
<>$ npm install

up to date, audited 1066 packages in 6s

241 packages are looking for funding
run npm fund for details

12 low severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Run npm audit for details.
<>$ npm audit

npm audit report

elliptic *
Elliptic Uses a Cryptographic Primitive with a Risky Implementation - GHSA-848j-6mx2-7j84
fix available via npm audit fix --force
Will install node-polyfill-webpack-plugin@4.0.0, which is a breaking change
node_modules/elliptic
browserify-sign >=2.4.0
Depends on vulnerable versions of elliptic
node_modules/browserify-sign
crypto-browserify >=3.4.0
Depends on vulnerable versions of browserify-sign
Depends on vulnerable versions of create-ecdh
node_modules/crypto-browserify
node-stdlib-browser *
Depends on vulnerable versions of crypto-browserify
node_modules/node-stdlib-browser
node-polyfill-webpack-plugin >=4.1.0
Depends on vulnerable versions of node-stdlib-browser
node_modules/node-polyfill-webpack-plugin
create-ecdh *
Depends on vulnerable versions of elliptic
node_modules/create-ecdh

tmp <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link dir parameter - GHSA-52f5-9888-hmc6
fix available via npm audit fix --force
Will install @quasar/app-webpack@3.15.1, which is a breaking change
node_modules/tmp
external-editor >=1.1.1
Depends on vulnerable versions of tmp
node_modules/external-editor
@inquirer/editor <=4.2.15
Depends on vulnerable versions of external-editor
node_modules/@inquirer/editor
@inquirer/prompts <=6.0.1
Depends on vulnerable versions of @inquirer/editor
node_modules/@inquirer/prompts
inquirer 10.0.0 - 11.1.0
Depends on vulnerable versions of @inquirer/prompts
node_modules/inquirer
@quasar/app-webpack >=4.0.0-alpha.1
Depends on vulnerable versions of inquirer
node_modules/@quasar/app-webpack

12 low severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

$ cat package.json
{
"name": "<>",
"version": "0.0.1",
"description": "<>",
"productName": "<>",
"author": "<>",
"private": true,
"scripts": {
"lint": "eslint --ext .js,.vue ./",
"format": "prettier --write "**/*.{js,vue,scss,html,md,json}" --ignore-path .gitignore",
"test": "echo "No test specified" && exit 0"
},
"dependencies": {
"@quasar/extras": "^1.17.0",
"core-js": "^3.48.0",
"node-polyfill-webpack-plugin": "^4.1.0",
"quasar": "^2.18.6",
"vue": "^3.5.27",
"vue-i18n": "^11.2.8",
"vue-router": "^4.6.4"
},
"devDependencies": {
"@babel/eslint-parser": "^7.28.6",
"@quasar/app-webpack": "^4.3.1",
"autoprefixer": "^10.4.23",
"eslint": "^9.39.2",
"eslint-config-prettier": "^10.1.8",
"eslint-plugin-vue": "^10.7.0",
"eslint-webpack-plugin": "^5.0.2",
"npm-check-updates": "^19.3.1",
"prettier": "^3.8.1"
},
"resolutions": {
"tmp": "^0.2.4",
"elliptic": "^6.6.2",
"tar": "^7.5.3",
"diff": "^8.0.3"
},
"browserslist": [
"last 10 Chrome versions",
"last 10 Firefox versions",
"last 4 Edge versions",
"last 7 Safari versions",
"last 8 Android versions",
"last 8 ChromeAndroid versions",
"last 8 FirefoxAndroid versions",
"last 10 iOS versions",
"last 5 Opera versions"
],
"engines": {
"node": ">= 12.22.1",
"npm": ">= 6.13.4",
"yarn": ">= 1.21.1"
}
}

Github vulnerability report:

Known security vulnerabilities detected

Dependency tmp Version <= 0.2.3 Upgrade to ~> 0.2.4 Defined in package-lock.json Vulnerabilities CVE-2025-54798 Low severity Dependency elliptic Version <= 6.6.1 Defined in package-lock.json Vulnerabilities Dependency tar Version <= 7.5.2 Upgrade to ~> 7.5.3 Defined in package-lock.json Vulnerabilities CVE-2026-23745 High severity Dependency diff Version >= 6.0.0 < 8.0.3 Upgrade to ~> 8.0.3 Defined in package-lock.json Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	Dependency tmp Version <= 0.2.3 Upgrade to ~> 0.2.4 Defined in package-lock.json Vulnerabilities CVE-2025-54798 Low severity	Dependency tmp Version <= 0.2.3 Upgrade to ~> 0.2.4 Defined in package-lock.json Vulnerabilities CVE-2025-54798 Low severity	Dependency tmp	Version <= 0.2.3	Upgrade to ~> 0.2.4	Defined in package-lock.json	Vulnerabilities CVE-2025-54798 Low severity	CVE-2025-54798 Low severity	Dependency elliptic Version <= 6.6.1 Defined in package-lock.json Vulnerabilities	Dependency elliptic Version <= 6.6.1 Defined in package-lock.json Vulnerabilities	Dependency elliptic	Version <= 6.6.1		Defined in package-lock.json	Vulnerabilities	Dependency tar Version <= 7.5.2 Upgrade to ~> 7.5.3 Defined in package-lock.json Vulnerabilities CVE-2026-23745 High severity	Dependency tar Version <= 7.5.2 Upgrade to ~> 7.5.3 Defined in package-lock.json Vulnerabilities CVE-2026-23745 High severity	Dependency tar	Version <= 7.5.2	Upgrade to ~> 7.5.3	Defined in package-lock.json	Vulnerabilities CVE-2026-23745 High severity	CVE-2026-23745 High severity	Dependency diff Version >= 6.0.0 < 8.0.3 Upgrade to ~> 8.0.3 Defined in package-lock.json Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	Dependency diff Version >= 6.0.0 < 8.0.3 Upgrade to ~> 8.0.3 Defined in package-lock.json Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	Dependency diff	Version >= 6.0.0 < 8.0.3	Upgrade to ~> 8.0.3	Defined in package-lock.json	Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	GHSA-73rr-hh4g-fpgx Low severity
Dependency tmp Version <= 0.2.3 Upgrade to ~> 0.2.4 Defined in package-lock.json Vulnerabilities CVE-2025-54798 Low severity	Dependency tmp Version <= 0.2.3 Upgrade to ~> 0.2.4 Defined in package-lock.json Vulnerabilities CVE-2025-54798 Low severity	Dependency tmp	Version <= 0.2.3	Upgrade to ~> 0.2.4	Defined in package-lock.json	Vulnerabilities CVE-2025-54798 Low severity	CVE-2025-54798 Low severity
Dependency tmp Version <= 0.2.3 Upgrade to ~> 0.2.4 Defined in package-lock.json Vulnerabilities CVE-2025-54798 Low severity	Dependency tmp	Version <= 0.2.3	Upgrade to ~> 0.2.4	Defined in package-lock.json	Vulnerabilities CVE-2025-54798 Low severity	CVE-2025-54798 Low severity
Dependency tmp	Version <= 0.2.3	Upgrade to ~> 0.2.4
Defined in package-lock.json
Vulnerabilities CVE-2025-54798 Low severity	CVE-2025-54798 Low severity
CVE-2025-54798 Low severity
Dependency elliptic Version <= 6.6.1 Defined in package-lock.json Vulnerabilities	Dependency elliptic Version <= 6.6.1 Defined in package-lock.json Vulnerabilities	Dependency elliptic	Version <= 6.6.1		Defined in package-lock.json	Vulnerabilities
Dependency elliptic Version <= 6.6.1 Defined in package-lock.json Vulnerabilities	Dependency elliptic	Version <= 6.6.1		Defined in package-lock.json	Vulnerabilities
Dependency elliptic	Version <= 6.6.1
Defined in package-lock.json
Vulnerabilities
Dependency tar Version <= 7.5.2 Upgrade to ~> 7.5.3 Defined in package-lock.json Vulnerabilities CVE-2026-23745 High severity	Dependency tar Version <= 7.5.2 Upgrade to ~> 7.5.3 Defined in package-lock.json Vulnerabilities CVE-2026-23745 High severity	Dependency tar	Version <= 7.5.2	Upgrade to ~> 7.5.3	Defined in package-lock.json	Vulnerabilities CVE-2026-23745 High severity	CVE-2026-23745 High severity
Dependency tar Version <= 7.5.2 Upgrade to ~> 7.5.3 Defined in package-lock.json Vulnerabilities CVE-2026-23745 High severity	Dependency tar	Version <= 7.5.2	Upgrade to ~> 7.5.3	Defined in package-lock.json	Vulnerabilities CVE-2026-23745 High severity	CVE-2026-23745 High severity
Dependency tar	Version <= 7.5.2	Upgrade to ~> 7.5.3
Defined in package-lock.json
Vulnerabilities CVE-2026-23745 High severity	CVE-2026-23745 High severity
CVE-2026-23745 High severity
Dependency diff Version >= 6.0.0 < 8.0.3 Upgrade to ~> 8.0.3 Defined in package-lock.json Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	Dependency diff Version >= 6.0.0 < 8.0.3 Upgrade to ~> 8.0.3 Defined in package-lock.json Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	Dependency diff	Version >= 6.0.0 < 8.0.3	Upgrade to ~> 8.0.3	Defined in package-lock.json	Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	GHSA-73rr-hh4g-fpgx Low severity
Dependency diff Version >= 6.0.0 < 8.0.3 Upgrade to ~> 8.0.3 Defined in package-lock.json Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	Dependency diff	Version >= 6.0.0 < 8.0.3	Upgrade to ~> 8.0.3	Defined in package-lock.json	Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	GHSA-73rr-hh4g-fpgx Low severity
Dependency diff	Version >= 6.0.0 < 8.0.3	Upgrade to ~> 8.0.3
Defined in package-lock.json
Vulnerabilities GHSA-73rr-hh4g-fpgx Low severity	GHSA-73rr-hh4g-fpgx Low severity
GHSA-73rr-hh4g-fpgx Low severity