Are security fixes safe to automate?

Recently, I received a lot of warnings about these on GitHub security, that npm audit cannot even detect yet. And, GitHub cannot automate the fixes either.

    "acorn": ">=5.7.4",
    "minimist": ">=1.2.2"

After looking up, and also realize that Yarn has selective dependency resolutions, I realize that I can do this on NPM as well.

"resolutions": {
  "acorn": ">=5.7.4",
  "minimist": ">=1.2.2"
}

rm -rf node_modules
npx npm-force-resolutions && npm i

But still, It stops me from using Pug.js in Vue. So, I decided to not fix Acorn...

├─┬ @vue/cli-plugin-babel@4.2.3
│ └─┬ webpack@4.42.0
│   └── acorn@6.4.1 
├─┬ @vue/cli-service@4.2.3
│ ├── acorn@7.1.1 
│ └─┬ webpack-bundle-analyzer@3.6.1
│   └── acorn@7.1.1 
└─┬ vue-cli-plugin-pug@1.0.7
  └─┬ pug@2.0.4
    ├─┬ pug-code-gen@2.0.2
    │ └─┬ with@5.1.1
    │   ├── acorn@3.3.0 
    │   └─┬ acorn-globals@3.1.0
    │     └── acorn@4.0.13 
    └─┬ pug-lexer@4.1.0
      └─┬ is-expression@3.0.0
        └── acorn@4.0.13

Not sure if this is safe. After some reviews, it seems that this is totally Pug.js's fault. Not that I have alternatives (clean syntax without need for explicit closing tags.)

I did hear a lot that npm audit fix leads to broken dependencies... Also, is Node.js / NPM a security hell?

Comments

[Chris Saldivar]

I'm not sure what your error with Vue is; but I used the following resolutions to fix the security issue.

  "resolutions": {
    "minimist": "^1.2.5",
    "acorn": ">=5.7.4",
    "with": "^6.0.0"
  }

I had to force with to upgrade too since I was getting the following error otherwise.

Error: Cannot find module 'acorn/dist/walk'

Turns out with was using acorn but they dropped that dependency back in 2016 but whatever was pulling in with was using an old version. So the newer version of with uses babel instead of acorn.