Massive amounts of vulnerabilities

[POD319]

Just attempted to install for the first time, and I'm building from source. Is this amount of deprecated packages and vulnerabilities normal?

added 1928 packages, and audited 2139 packages in 3m

316 packages are looking for funding
run npm fund for details

35 vulnerabilities (1 low, 27 moderate, 6 high, 1 critical)

[fallenbagel]

That's normal. That's just npm packages.

[brianjmurrell]

But what does it mean exactly "35 vulnerabilities" and if it's as it seems, why should that be accepted as normal?

Am I exposing my jellyseerr server to being hacked by having a piece of software on it that has 35 different vulnerabilities to be taken advantage of?

Are these npm package versions that jellyseerr is using that need updating to use the latest version, or at least a version that fixes the vulnerabilities or do the maintainers of these packages that have the 35 vulnerabilities just ignore the fact that their packages have vulnerabilities and just don't fix them? Why does the npm ecosystem tolerate having packages in it that have known vulnerabilities that hav e no fixes for them?

Apologies if these seem like stupid questions, but even though I am a software developer, node is not one of the languages or ecosystems I have worked in.

[TimGels]

I don't think you will be hacked (but nobody can be sure as nothing is hack proof). If you want an added layer of security you can make Jellyseerr accessible only through a VPN. 35 is not an extreme amount as far as I am concerned and noticed for projects in the NPM ecosystem. The NPM tool that scans also scans the dependencies of the dependencies if I recall correctly. It is a lot of effort to keep things and all their dependencies and their dependencies updated (and not even all dependencies that have vulnerabilities have it fixed, ofcourse in a perfect world that would be the case : ) ). I am sure the maintainer of this repository is open to better ideas and implementations of people that want to help getting this number down. But I would not personally classify this as an emergency, as sub-optimal as it may be.

[brianjmurrell]

I guess it's just generally concerning as a development ecosystem/platform that there can be so many unfixed vulnerabilities.

I suppose we can assume (can we?) that none of these vulnerabilities are first-level dependencies (i.e. packages that this package depends on directly) that are not fully up-to-date with their upstream releases? It would be nice if the tool produced a graph of the dependency chains that have all of the vulnerabilities so that one can at least get a visual picture of how bad the problem is.