preact-cli has high severity vulnerabilities and npm audit fix runs in circles (3.0.5 <-> 2.2.1)

Question

I'm setting up a preact project with preact-cli:

npx --version # 7.4.0
npx preact-cli create typescript frontend

This tells me:

...
added 1947 packages, and audited 1948 packages in 31s

129 packages are looking for funding
  run `npm fund` for details

3 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
✔ Done!

3 high security vulnerabilities after just running the default setup??
That doesn't sound very reassuring.

npm audit fix

...
fix available via `npm audit fix --force`
Will install preact-cli@2.2.1, which is a breaking change

Ok, so apparently npm fix wants to downgrade preact-cli. Let's go then:

npm audit fix --force

...

fix available via `npm audit fix --force`
Will install preact-cli@3.0.5, which is a breaking change
node_modules/preact-cli/node_modules/webpack-dev-server/node_modules/yargs-parser
node_modules/preact-cli/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/preact-cli/node_modules/webpack-dev-server/node_modules/yargs
  node_modules/preact-cli/node_modules/yargs
    preact-cli  1.0.0 - 3.0.0-next.3
    Depends on vulnerable versions of extract-text-webpack-plugin
    Depends on vulnerable versions of url-loader
    Depends on vulnerable versions of yargs
    node_modules/preact-cli
    webpack  2.1.0-beta.8 - 4.0.0-alpha.0
    Depends on vulnerable versions of yargs
    node_modules/preact-cli/node_modules/webpack
      extract-text-webpack-plugin  2.0.0-beta.0 - 3.0.2
      Depends on vulnerable versions of webpack
      node_modules/preact-cli/node_modules/extract-text-webpack-plugin
      webpack-dev-server  2.0.0-beta - 3.10.3
      Depends on vulnerable versions of webpack
      Depends on vulnerable versions of yargs
      node_modules/preact-cli/node_modules/webpack-dev-server

17 vulnerabilities (7 low, 8 moderate, 2 high)

Ah yes, downgrading to 2.2.1 introduces new vulnerabilities. They can be solved by undoing the downgrade and going back up to 3.0.5.

This is a circle, npm audit fix --force just switches back and forth between the 3.0.5 and 2.2.1 versions of preact-cli.

Some context: This seems to be a known issue .

Answer 1

Late here (already closed on the CLI repo) but for context, 2.2.1 is a few years old now, and the dependency was a build time one. There's no risk for build time dependencies, especially this one, as it just existed to report changes in your built bundle size.

Always look at what npm audit is actually complaining about. If it's something that's build-time only, you can ignore it.