Skip to content

test-utils shipped as a production dependency — pulls in bson@0.5.7 (critical advisories), event-stream, faker #256

Description

@Prabhakar-Poudel

@alma/widgets declares "test-utils": "^1.1.1" in dependencies (every published version from 4.0.0 through 4.4.0). That resolves to the unrelated test-utils package on npm, which drags in mgeneratejs@0.4.0 and through it roughly 30 old, unmaintained packages: bson@0.5.7, event-stream@3.3.5/4.0.1, faker@3.1.0, chance, mongodb-extended-json, etc.

bson@0.5.7 carries critical advisories (GHSA-4jwp-vfvf-657p, GHSA-v8w9-2789-6hhr), so installing the widget puts a critical finding into every consumer's npm audit / Dependabot / SCA reports. There is no clean fix on the consumer side: npm overrides can't remove a transitive dependency, and since dist/widgets.js is fully bundled, these packages look like pure dead weight at install time anyway.

Repro:

npm i @alma/widgets
npm ls bson

└─┬ @alma/widgets@4.4.0
  └─┬ test-utils@1.1.1
    └─┬ mgeneratejs@0.4.0
      ├── bson@0.5.7
      └─┬ mongodb-extended-json@1.11.1
        └── bson@1.1.6

npm audit   # critical severity: bson <=1.1.3

My guess is test-utils (and possibly preact-utils) are internal workspace packages that leaked into the published package.json under their public npm names.

Could you move them out of dependencies in a patch release?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions