Ver. 1.1.0 got a lot of unsupported/deprecated packages and some high/critical vulnerabilities

[Riuaux]

Hi! Just joined the PixieJS family to start a hobby journey. I'm using this new CLI, with the Creation Templates > Web, and just as running npm install I got a wallblock of issues, even such as some high/critical vulnerabilities on subpackages and a lot of warnings about deprecated, unsupported and/or unmaintained packages, and failed cleanups.

It's worth saying that this is not happening with Bundler Templates > Vite, so I may suppose that the packages used when setting up the Web Template causes this.

Are the dev team of this CLI aware of it? Couldn't find anything about this here on Issues neither on Discord. I suppose I will stick to just npm audit fix --force to resolve until 0 vulnerabilities, but I don't know if this could break any functionality of this template, because there are some major breaking changes on subpackages... Also, I'll post this as an Issue just to add it to the record.

npm audit fix report

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install @assetpack/[email protected], which is a breaking change
node_modules/got

package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json

latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version

update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier

msdf-bmfont-xml >=2.6.0
Depends on vulnerable versions of update-notifier
node_modules/msdf-bmfont-xml

@assetpack/core >=1.0.0-rc
Depends on vulnerable versions of msdf-bmfont-xml
node_modules/@assetpack/core

jpeg-js <=0.4.3
Severity: high
Infinite loop in jpeg-js - GHSA-xvf7-4v9q-58w6
Uncontrolled resource consumption in jpeg-js - GHSA-w7q9-p3jq-fmhm
fix available via npm audit fix
node_modules/jpeg-js

@jimp/jpeg <=0.12.0
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg

@jimp/types <=0.11.1-canary.891.908.0
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types

jimp 0.3.6-alpha.5 - 0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
Depends on vulnerable versions of @jimp/custom
Depends on vulnerable versions of @jimp/types
node_modules/jimp

minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
fix available via npm audit fix
node_modules/mkdirp/node_modules/minimist

mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp

@jimp/core <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of phin
node_modules/@jimp/core

@jimp/custom <=0.21.4--canary.1163.d07ed6254d130e2995d24101e93427ec091016e6.0
Depends on vulnerable versions of @jimp/core
node_modules/@jimp/custom

phin <3.7.1
Severity: moderate
phin may include sensitive headers in subsequent requests after redirect - GHSA-x565-32qp-m3vf
fix available via npm audit fix
node_modules/phin

---

15 vulnerabilities (11 moderate, 1 high, 3 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

After running npm audit fix --force

npm warn using --force Recommended protections disabled.
npm warn audit Updating @assetpack/core to 0.8.0, which is a SemVer major change.

added 18 packages, removed 336 packages, changed 10 packages, and audited 176 packages in 5s

39 packages are looking for funding
run npm fund for details

found 0 vulnerabilities

---

I've some more projects using Node on my computer, so let me know if any of this is on any sort of my fault and those packages are non-related to the way the CLI builds/installs the required ones in this project, but I doubt so.

Kind regards!