How to resolve vulnerabilities detected by yarn audit?

[Dirk-]

I develop a SPA with quasar 1.15.20, @quasar/app 2.2.10 (sorry, no CLI - SPA mode topic available).

I did yarn audit and it detected five vulnerabilities with high severity. These vulnerabilities stem from normalize-url and css-what which are indirectly used by @quasar/app (via mini-css-extract-plugin and cssnano).

I would like to get rid of these vulnerabilities. I installed yarn-audit-fix, but it could not fix them:

Patching yarn.lock with audit data...
invoke yarn audit --json
Can't find patched version that satisfies css-what@^3.2.1 in >=5.0.1
Can't find patched version that satisfies glob-parent@^3.1.0 in >=5.1.2
Can't find patched version that satisfies normalize-url@1.9.1 in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Can't find patched version that satisfies normalize-url@^3.0.0 in >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1
Can't find patched version that satisfies postcss@^7.0.0 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.1 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.14 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.26 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.27 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.32 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.5 in >=8.2.10
Can't find patched version that satisfies postcss@^7.0.6 in >=8.2.10
Can't find patched version that satisfies yargs-parser@^16.0.0 in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Upgraded deps: <none>

Do you have any advice? Or am I overreacting about these vulnerabilities?

[hawkeye64]

fb55/css-what#519

[Dirk-]

Okay. So I am not overreacting, I am spooked. ;)

[ontwikkelfabriek]

@Dirk-

Do you have any advice? Or am I overreacting about these vulnerabilities?

These are audit results from one of my Quasar apps (1.15.13):

1133 vulnerabilities found - Packages audited: 1882
Severity: 682 Low | 124 Moderate | 327 High
Done in 8.06s.

[Dirk-]

Okay, you won.

[rstoenescu]

The only way for the audit to not report anything is to upgrade to Quasar v2.
There's a lot of packages that cannot be upgraded for Qv1 because of Webpack 4. Upgrading to Webpack 5 for Qv1 would mean the mother of all breaking changes.

But, regardless of above, there is literally zero impact over the production code outputted (your /dist). These are packages used only on the devserver itself.

[Dirk-]

These are packages used only on the devserver itself.

You are right, thanks for pointing this out.