[High Security Vulnerability] due to outdated figma-api-exporter

[pedroresende]

Describe the bug

You're using and outdated version of figma-api-exporter, which has a high security vulnerability because it's using axios

• GHSA-4w2v-q235-vp99
• GHSA-cph5-m8f7-6c5x

Steps to reproduce the behavior

1. npm outdated

[silverwind]

There are a number of deprecations coming from this module:

npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility

npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.

npm WARN deprecated axios@0.19.2: Critical security vulnerability fixed in v0.21.1. For more information, see https://github.com/axios/axios/pull/3410

[silverwind]

Dependency chains for the three deprecations:

└─┬ @storybook/blocks@7.2.1
  └─┬ @storybook/components@7.2.1
    └─┬ @storybook/icons@1.1.2
      └─┬ @svgr/plugin-svgo@5.5.0
        └── svgo@1.3.2

└─┬ @storybook/blocks@7.2.1
  └─┬ @storybook/components@7.2.1
    └─┬ @storybook/icons@1.1.2
      ├── axios@1.4.0
      └─┬ figma-api-exporter@0.0.2
        ├── axios@0.19.2
        └─┬ figma-js@1.16.0
          └── axios@0.21.4

└─┬ @storybook/blocks@7.2.1
  └─┬ @storybook/components@7.2.1
    └─┬ @storybook/icons@1.1.2
      └─┬ @svgr/plugin-svgo@5.5.0
        └─┬ svgo@1.3.2
          └── stable@0.1.8

[cdedreuille]

Thanks a lot for looking into it @pedroresende @silverwind. The icon library doesn't have any dependencies. We only use these libraries locally to generate the icons from Figma. But I agree that we should take the time to fix it. The generator is not built with ESM and I'm not an expert of that. To update all libraries I believe we should fix this all together.

[silverwind]

I see that d2f8113 moved all dependencies to devDependencies, so they will no longer install with 1.1.3 or above and this issue is resolved for users of the module. Developers may theoretically still be vulnerable, though.

[cdedreuille]

Yes you're right @silverwind. I'll keep this issue open as this is still something I would love to resolve. I tried to convert our generator to ESM and updating all packages at the same time but I couldn't work everything out just yet.

[ekilah]

I opened slawomirkolodziej/figma-api-exporter#10 over there at the otherpackage to ask about the changes between 0.0.2 and 1.0.0 for what it's worth