Problem with esbuild and vuetify nuxt module

[Jan-Heussner]

I have an issue with the audit. Why is he forcing me to install the old version of vuetify-nuxt-module?
Does anyone else has the same error?

Error

# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install vuetify-nuxt-module@0.16.1, which is a breaking change
node_modules/importx/node_modules/esbuild
  importx  0.0.2 - 0.3.11 || 0.4.2 - 0.5.1
  Depends on vulnerable versions of esbuild
  node_modules/importx
    unconfig  0.4.0 - 0.4.5 || 0.5.2 - 0.5.5
    Depends on vulnerable versions of importx
    node_modules/unconfig
      vuetify-nuxt-module  >=0.17.0
      Depends on vulnerable versions of unconfig
      node_modules/vuetify-nuxt-module

4 moderate severity vulnerabilities

package.json

{
  "name": "name",
  "type": "module",
  "private": true,
  "scripts": {
    "build": "nuxt build",
    "lint": "eslint .",
    "lint:fix": "eslint . --fix",
    "dev": "nuxt dev --dotenv .env.local",
    "generate": "NODE_OPTIONS=--max_old_space_size=8192 nuxt generate",
    "preview": "nuxt preview",
    "postinstall": "nuxt prepare"
  },
  "dependencies": {
    "@sentry/nuxt": "^9.8.0"
  },
  "optionalDependencies": {
    "@rollup/rollup-darwin-arm64": "^4.36.0",
    "@rollup/rollup-linux-x64-gnu": "^4.36.0",
    "sass-embedded-darwin-arm64": "^1.86.0",
    "sass-embedded-linux-x64": "^1.86.0"
  },
  "devDependencies": {
    "@antfu/eslint-config": "^4.10.1",
    "@iconify-json/mdi": "^1.2.3",
    "@infectoone/vue-ganttastic": "^2.3.2",
    "@mdi/js": "^7.4.47",
    "@nuxt/eslint": "^1.2.0",
    "@nuxt/fonts": "^0.11.0",
    "@nuxt/icon": "^1.11.0",
    "@nuxt/types": "^2.18.1",
    "@nuxtjs/i18n": "^9.3.4",
    "@pinia/nuxt": "^0.10.1",
    "@tiptap/extension-underline": "^2.11.5",
    "@tiptap/pm": "^2.11.5",
    "@tiptap/starter-kit": "^2.11.5",
    "@tiptap/vue-3": "^2.11.5",
    "@vue-flow/background": "^1.3.2",
    "@vue-flow/core": "^1.42.4",
    "chart.js": "^4.4.8",
    "chartjs-plugin-annotation": "^3.1.0",
    "dagre": "^0.8.5",
    "eslint": "^9.22.0",
    "html-to-text": "^9.0.5",
    "jwt-decode": "^4.0.0",
    "nuxt": "^3.16.1",
    "nuxt-open-fetch": "^0.9.5",
    "pinia-plugin-persistedstate": "^4.2.0",
    "sass-embedded": "^1.86.0",
    "text-diff": "^1.0.1",
    "typescript": "^5.7.3",
    "vue-chartjs": "^5.3.2",
    "vue-tsc": "^2.2.8",
    "vuetify": "^3.7.18",
    "vuetify-nuxt-module": "^0.18.4",
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.3/xlsx-0.20.3.tgz"
  },
  "overrides": {
    "vue": "latest"
  }
}

[j-foley]

The version of unconfig currently used by this module is compromised by the vulnerability mentioned in the audit. The offending dependency (importx) was removed in v7.0.0 But it looks like @userquin has recently also contributed to unconfig, so maybe there is a reason for not bumping the version here yet.

[userquin]

I'm preparing a new version, too many breaking changes in Nuxt 3.16.0, including Vuetify itself (remapping subpackages exports, fixed in latest release), i18n, unhead and now looks like also importx (unjs ecosystem in global), I need to figure out what's the best strategy since we still want to allow using this module with older Nuxt versions.