[project] Unused npm-watch dependency

[miqmago]

The @trapezedev/project depends on npm-watch but it seems not to be used anywhere.

npm-watch seems not to be regularly mantained. npm-watch depends on nodemon@^2.0.7 (06/01/2021).
Right now nodemon is 3.0.1.

On an npm audit fix it raises a Severity: moderate

Maybe this dependency could be removed if not used anywhere.

[chacabuk]

Depends too on mergexml that seems not to be regularly mantained and depend on deprecated "formidable": "^1.2.1"

[Ericlm]

Just wanted to give support to this issue, as npm-watch is blocking updates of nodemon, and triggers vulnerability warning :)

[Ericlm]

npm-watch received a recent release to address the nodemon dependency.
However, as @trapezedev/project is using npm-watch from 0.9.0 instead of 0.12.0, it continues to trigger audit warnings.
I think the simplest way is to remove the dependency as suggested, or at least upgrade npm-watch to ^0.12.0

[chvonrohr]

GitLab detects this as high severity risk!

Versions of the package semver before 7.5.2 is vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

I really think you should upgrade or remove that package. If this isn't done after one year (even when receiving PRs, the project seems abandoned, which would be a sad for the whole Ionic community.

To still be compliant we overrule the dependency in the package.json like this:

"overrides": {
    "@trapezedev/configure": {
      "npm-watch": "0.13.0"
    }
}

[AntiGuideAkquinet]

Seems like this can be closed as de23267 fixed it so version 7.1.0 and up are not vulnerable anymore.

[Yolgie]

this has been fixed when removing npm-watch in ticket #224 and version 7.1.3

https://github.com/ionic-team/trapeze/releases/tag/7.1.3