@alma/widgets declares "test-utils": "^1.1.1" in dependencies (every published version from 4.0.0 through 4.4.0). That resolves to the unrelated test-utils package on npm, which drags in mgeneratejs@0.4.0 and through it roughly 30 old, unmaintained packages: bson@0.5.7, event-stream@3.3.5/4.0.1, faker@3.1.0, chance, mongodb-extended-json, etc.
bson@0.5.7 carries critical advisories (GHSA-4jwp-vfvf-657p, GHSA-v8w9-2789-6hhr), so installing the widget puts a critical finding into every consumer's npm audit / Dependabot / SCA reports. There is no clean fix on the consumer side: npm overrides can't remove a transitive dependency, and since dist/widgets.js is fully bundled, these packages look like pure dead weight at install time anyway.
Repro:
npm i @alma/widgets
npm ls bson
└─┬ @alma/widgets@4.4.0
└─┬ test-utils@1.1.1
└─┬ mgeneratejs@0.4.0
├── bson@0.5.7
└─┬ mongodb-extended-json@1.11.1
└── bson@1.1.6
npm audit # critical severity: bson <=1.1.3
My guess is test-utils (and possibly preact-utils) are internal workspace packages that leaked into the published package.json under their public npm names.
Could you move them out of dependencies in a patch release?
@alma/widgetsdeclares"test-utils": "^1.1.1"independencies(every published version from 4.0.0 through 4.4.0). That resolves to the unrelatedtest-utilspackage on npm, which drags inmgeneratejs@0.4.0and through it roughly 30 old, unmaintained packages:bson@0.5.7,event-stream@3.3.5/4.0.1,faker@3.1.0,chance,mongodb-extended-json, etc.bson@0.5.7carries critical advisories (GHSA-4jwp-vfvf-657p, GHSA-v8w9-2789-6hhr), so installing the widget puts a critical finding into every consumer'snpm audit/ Dependabot / SCA reports. There is no clean fix on the consumer side: npmoverridescan't remove a transitive dependency, and sincedist/widgets.jsis fully bundled, these packages look like pure dead weight at install time anyway.Repro:
My guess is
test-utils(and possiblypreact-utils) are internal workspace packages that leaked into the publishedpackage.jsonunder their public npm names.Could you move them out of
dependenciesin a patch release?