Summary
@electron-forge/*@7.11.1 (current stable) pins @electron-forge/core-utils@7.11.1, which pins @electron/rebuild: ^3.7.0. @electron/rebuild@3.7.2 has a direct dependency on tar@6.2.1, and also pulls in @electron/node-gyp@10.2.0-electron.1 (via git) → make-fetch-happen@10.2.1 → cacache@16.1.3 → another copy of tar@6.2.1.
tar@6.2.1 is deprecated on npm and carries 6 high-severity advisories:
Downstream, cacache@16 also pulls deprecated @npmcli/move-file@2.0.1 and glob@8.1.0 (transitively pulls deprecated inflight@1.0.6), and @electron/get@3.1.0 pulls global-agent@3.0.0 (which depends on deprecated boolean@3.2.0). npm audit reports 28 vulnerabilities (22 high, 6 low) in a fresh npm install of a project whose only direct deps are @electron-forge/*@^7.11.1.
Upstream state
The 8.0.0-alpha.* line has already moved @electron-forge/core-utils to @electron/rebuild: ^4.0.1, which uses tar: ^7.5.6 (patched) and node-gyp: ^11.2.0 (no git source, no deprecated transitives). So the fix already exists on the 8.0 line.
Ask
Projects that have a hard "no alpha versions in production" policy (like ours) cannot use 8.0.0-alpha.7 and also cannot apply long-lived overrides to the 7.x tree without committing to maintain those overrides themselves. That leaves them shipping with the 28 advisories above.
Options in order of preference:
- Cut 8.0.0 stable. The
@electron/rebuild@^4 upgrade is self-contained; from the package.json diff it looks ready.
- Backport
@electron/rebuild@^4 to a 7.12.x release. @electron-forge/core-utils would need @electron/rebuild: ^4.0.0 (or ^3.7.0 || ^4.0.0 if you want a non-breaking bump window).
- Drop the
git+ssh:// pin on @electron/node-gyp in favor of the registry-published node-gyp@^11. This alone would clear 3 of the 28 advisories and the two npm install skipping integrity check for git dependency / gitignore-fallback warnings.
Happy to send a PR for any of (1)-(3) if there's a direction the maintainers prefer.
Repro
mkdir forge-audit && cd forge-audit
npm init -y
npm install --save-dev @electron-forge/cli@^7.11.1 @electron-forge/plugin-vite@^7.11.1
npm audit
# 28 vulnerabilities (6 low, 22 high)
Summary
@electron-forge/*@7.11.1(current stable) pins@electron-forge/core-utils@7.11.1, which pins@electron/rebuild: ^3.7.0.@electron/rebuild@3.7.2has a direct dependency ontar@6.2.1, and also pulls in@electron/node-gyp@10.2.0-electron.1(via git) →make-fetch-happen@10.2.1→cacache@16.1.3→ another copy oftar@6.2.1.tar@6.2.1is deprecated on npm and carries 6 high-severity advisories:Downstream,
cacache@16also pulls deprecated@npmcli/move-file@2.0.1andglob@8.1.0(transitively pulls deprecatedinflight@1.0.6), and@electron/get@3.1.0pullsglobal-agent@3.0.0(which depends on deprecatedboolean@3.2.0).npm auditreports 28 vulnerabilities (22 high, 6 low) in a freshnpm installof a project whose only direct deps are@electron-forge/*@^7.11.1.Upstream state
The
8.0.0-alpha.*line has already moved@electron-forge/core-utilsto@electron/rebuild: ^4.0.1, which usestar: ^7.5.6(patched) andnode-gyp: ^11.2.0(no git source, no deprecated transitives). So the fix already exists on the 8.0 line.Ask
Projects that have a hard "no alpha versions in production" policy (like ours) cannot use
8.0.0-alpha.7and also cannot apply long-livedoverridesto the 7.x tree without committing to maintain those overrides themselves. That leaves them shipping with the 28 advisories above.Options in order of preference:
@electron/rebuild@^4upgrade is self-contained; from the package.json diff it looks ready.@electron/rebuild@^4to a 7.12.x release.@electron-forge/core-utilswould need@electron/rebuild: ^4.0.0(or^3.7.0 || ^4.0.0if you want a non-breaking bump window).git+ssh://pin on@electron/node-gypin favor of the registry-publishednode-gyp@^11. This alone would clear 3 of the 28 advisories and the twonpm installskipping integrity check for git dependency/gitignore-fallbackwarnings.Happy to send a PR for any of (1)-(3) if there's a direction the maintainers prefer.
Repro