bug: Security Threats Denial of Service Regular expression denial of service - No fix available - using Ionic Capacitor (v3.0.2) Blank Starter App

[edocbuhtig]

Bug Report

Capacitor Version

3.0.2

Platform(s)

MAC OS BigSur 11.4

Current Behavior

Create a new Ionic (Angular) (Capacitor) Blank Starter app with below command:

ionic start demo blank

Security threats thrown by npm audit:

# npm audit report

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix --force`
Will install @ionic/[email protected], which is a breaking change
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
    Depends on vulnerable versions of css-select
    node_modules/cheerio
      @ionic/angular-toolkit  >=2.2.0
      Depends on vulnerable versions of cheerio
      node_modules/@ionic/angular-toolkit

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
      @angular-devkit/build-angular  *
      Depends on vulnerable versions of @angular-devkit/build-webpack
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-angular
      @angular-devkit/build-webpack  *
      Depends on vulnerable versions of webpack-dev-server
      node_modules/@angular-devkit/build-webpack

9 vulnerabilities (5 moderate, 4 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Expected Behavior

For a base starter app 9 vulnerabilities (5 moderate, 4 high) should be 0 vulnerabilities (0 moderate, 0 high)

Code Reproduction

Pick a framework! 😁

Please select the JavaScript framework to use for your new app. To bypass this
prompt next time, supply a value for the --type option.

? Framework: Angular
✔ Preparing directory ./demo in 1.22ms
✔ Downloading and extracting blank starter in 250.69ms
? Integrate your new app with Capacitor to target native iOS and Android? Yes
> ionic integrations enable capacitor --quiet -- demo
> npm i --save -E @capacitor/core@latest

added 1626 packages, and audited 1627 packages in 1m

130 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
> npm i -D -E @capacitor/cli@latest

added 35 packages, and audited 1662 packages in 6s

131 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
> npm i --save -E @capacitor/haptics @capacitor/app @capacitor/keyboard @capacitor/status-bar

added 4 packages, and audited 1666 packages in 5s

131 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
> capacitor init demo  --web-dir www
✔ Creating capacitor.config.ts in /Users/xxx/demo in 34.21ms
[success] capacitor.config.ts created!

Next steps: 
https://capacitorjs.com/docs/getting-started#where-to-go-next
[OK] Integration capacitor added!

Installing dependencies may take several minutes.

  ──────────────────────────────────────────────────────────────────────────────

         Ionic Advisory, tailored solutions and expert services by Ionic

                             Go to market faster 🏆
                    Real-time troubleshooting and guidance 💁
        Custom training, best practices, code and architecture reviews 🔎
      Customized strategies for every phase of the development lifecycle 🔮

                        👉  https://ion.link/advisory  👈

  ──────────────────────────────────────────────────────────────────────────────


> npm i

up to date, audited 1666 packages in 3s

131 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (5 moderate, 4 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
> git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in /Users/xxx/demo/.git/
> git add -A
> git commit -m "Initial commit" --no-gpg-sign
[master (root-commit) e8a39b4] Initial commit
 40 files changed, 36480 insertions(+)
 create mode 100644 .browserslistrc
 create mode 100644 .editorconfig
 create mode 100644 .eslintrc.json
 create mode 100644 .gitignore
 create mode 100644 angular.json
 create mode 100644 capacitor.config.ts
 create mode 100644 e2e/protractor.conf.js
 create mode 100644 e2e/src/app.e2e-spec.ts
 create mode 100644 e2e/src/app.po.ts
 create mode 100644 e2e/tsconfig.json
 create mode 100644 ionic.config.json
 create mode 100644 karma.conf.js
 create mode 100644 package-lock.json
 create mode 100644 package.json
 create mode 100644 src/app/app-routing.module.ts
 create mode 100644 src/app/app.component.html
 create mode 100644 src/app/app.component.scss
 create mode 100644 src/app/app.component.spec.ts
 create mode 100644 src/app/app.component.ts
 create mode 100644 src/app/app.module.ts
 create mode 100644 src/app/home/home-routing.module.ts
 create mode 100644 src/app/home/home.module.ts
 create mode 100644 src/app/home/home.page.html
 create mode 100644 src/app/home/home.page.scss
 create mode 100644 src/app/home/home.page.spec.ts
 create mode 100644 src/app/home/home.page.ts
 create mode 100644 src/assets/icon/favicon.png
 create mode 100644 src/assets/shapes.svg
 create mode 100644 src/environments/environment.prod.ts
 create mode 100644 src/environments/environment.ts
 create mode 100644 src/global.scss
 create mode 100644 src/index.html
 create mode 100644 src/main.ts
 create mode 100644 src/polyfills.ts
 create mode 100644 src/test.ts
 create mode 100644 src/theme/variables.scss
 create mode 100644 src/zone-flags.ts
 create mode 100644 tsconfig.app.json
 create mode 100644 tsconfig.json
 create mode 100644 tsconfig.spec.json

Your Ionic app is ready! Follow these next steps:

- Go to your new project: cd ./demo
- Run ionic serve within the app directory to see your app in the browser
- Run ionic capacitor add to add a native iOS or Android project using Capacitor
- Generate your app icon and splash screens using cordova-res --skip-config
--copy
- Explore the Ionic docs for components, tutorials, and more:
https://ion.link/docs
- Building an enterprise app? Ionic has Enterprise Support and Features:
https://ion.link/enterprise-edition

Other Technical Details

npm --version output: 7.19.1

node --version output: 14.17.2

Ionic:

   Ionic CLI                     : 6.16.3 
   Ionic Framework               : @ionic/angular 5.6.11
   @angular-devkit/build-angular : 12.0.5
   @angular-devkit/schematics    : 12.1.1
   @angular/cli                  : 12.0.5
   @ionic/angular-toolkit        : 2.1.2

Capacitor:

   Capacitor CLI      : 3.0.2
   @capacitor/android : not installed
   @capacitor/core    : 3.0.2
   @capacitor/ios     : not installed

[edocbuhtig]

@mhartington - Please, Please, Anyone can look into this blocker, or advice alternatives for now?

[jcesarmobile]

this is a bug in @ionic/angular-toolkit (in one of it's dependencies really) and it's already reported there, has nothing to do with Capacitor
ionic-team/angular-toolkit#455

[ionitron-bot]

Thanks for the issue! This issue is being locked to prevent comments that are not relevant to the original issue. If this is still an issue with the latest version of Capacitor, please create a new issue and ensure the template is fully filled out.