High severity package vulnerability with browser-sync -> localtunnel -> axios

[tannerdolby]

Describe the bug
When installing @11ty/eleventy (v0.11.1) with npm in a new project. I'm seeing this high severity vulnerability across all new projects and after updating from v0.11.0 to v0.11.1 in existing projects. After further investigation, here is the link for more information and the Fix commit in axios.

To Reproduce
In a fresh project folder (without @11ty/eleventy installed):

1. Make sure a package.json exists: npm init -y
2. Run npm install @11ty/eleventy
3. See the high severity vulnerability warning after npm installing.
4. Run npm audit to see a more detailed version of the vulnerability.
5. To fix, just bump axios from 0.19.0 to 0.21.1 and update the integrity and resolved keys for axios {} in package-lock.json near localtunnel.

Note for workaround: I did a fresh npm install axios which uses the latest version 0.21.1 and then copied the integrity and resolved key values to be used in step 5. Since I didn't need axios in my package.json as a dependency I simply removed it with npm uninstall -S axios after obtaining the values needed to update package-lock.json.

When using npm update @11ty/eleventy in an existing project that was prev running v0.11.0 the same high severity vulnerability occurs like mentioned above with browser-sync -> localtunnel -> axios.

Expected behavior
The most updated version of eleventy (v0.11.1) to not have any high severity package vulnerabilities out of the box after installation.

Screenshots

Environment:

• OS and Version: MacOS
• Eleventy Version: v0.11.1

[muenzpraeger]

Plus one to get this fixed.

[MarcoZehe]

Adding my +1, too, also see the Discord chat. This number of vulnerabilities increases if you install something like @11ty/eleventy-plugin-rss.

[PabloC]

+1 for a workaround or a fix to this!

[ThewBear]

It seems that localtunnel hasn't received any updates for 16 months.
localtunnel/localtunnel#377
BrowserSync/browser-sync#1831

[Hazantip]

+1

[ragebflame]

+1

[zachleat]

Follow along at this issue also: BrowserSync/browser-sync#1831

This did happen earlier in 2020 and they did release a patch for it, so hang tight. Previous context: #1164 (comment)

Related: #1305

[zachleat]

Also I would reiterate that browser-sync is intended for development purposes only—do not run it in production!

[openmindculture]

+1

[waldyrious]

This issue no longer applies: since browser-sync v2.26.13 (the version currently used by eleventy) specifies the localtunnel dependency as ^2.0.0, now that localtunnel v2.0.1 (which matches the ^2.0.0 version spec) was released with the fix (a couple days ago), any new installations of eleventy will now automatically pick that up. Yay for caret version ranges!

[ThewBear]

I can confirm that localtunnel v2.0.1 fix this.
For existing project, you can update deep dependencies by npm update --depth=<int> where <int> may be 9

[tannerdolby]

UPDATE: Tested npm install @11ty/eleventy in a fresh project and the high severity package vulnerability no longer exists. The above npm update --depth=9 doesn't seem to be needed unless for some odd reason the vulnerability is still present for you.

@zachleat As this seems to be resolved, I'm closing this issue 👍