Replace or fix lit static analysis tool #2449
Description
Currently, we use lit-analyzer to static analysis of the lit components.
However, during the upgrade, fastnode was accedentally removed when running npm audit fix --force because it used a vulnerable version of glob-parent
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lit-analyzer/node_modules/glob-parent
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/lit-analyzer/node_modules/fast-glob
lit-analyzer 0.0.7 - 1.2.1
Depends on vulnerable versions of fast-glob
node_modules/lit-analyzerThere is a long standing issue to publish the new version.
In the meantime, we can override the glob-parent dependency as seen here melink14/rikaikun#1101
UPDATE There is an issue with npm install and npm ci not working correctly with overrides:
- [BUG] npm ci still does not work with overrides correctly npm/cli#4942
- [BUG] Overrides are not updating after running npm install npm/cli#4232 (comment)
Short term
If those two issues are fixed above (which means overrides are honored 100% of the time), vulnerabilities will be fixed. Otherwise, we will need to solve this issue and the #2383 issue because they contribute to the remaining vulnerabilities.
Luckily, these are build tools.
We have to weigh using vulnerable build tools vs having a broken build tool. I will put a PR together for the former.
Long term
Long term, there is this first party lit analyzer coming. We should probably use that when it is ready.