[BUG] High vulnerabilities on npm install due to internal Plasmo dependencies (@parcel)

### What happened?

When I run npm install on a Plasmo-based Chrome extension project, npm reports around 70 vulnerabilities (3 moderate, 67 high). all coming from Plasmo’s internal dependencies (mainly @plasmohq/* and @parcel/* packages).

### Version

Latest

### What OS are you seeing the problem on?

Windows

### What browsers are you seeing the problem on?

Chrome

### Relevant log output

```Shell
PS C:\Users\DELL\Desktop\chrome-extension> npm i
npm warn deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm warn deprecated source-map@0.8.0-beta.0: The work that was done in this beta branch won't be included in future versions

added 612 packages, and audited 613 packages in 2m

198 packages are looking for funding
  run `npm fund` for details

70 vulnerabilities (3 moderate, 67 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
PS C:\Users\DELL\Desktop\chrome-extension> npm audit
# npm audit report

@parcel/reporter-dev-server  <=2.14.4
Severity: high
Depends on vulnerable versions of @parcel/plugin
Parcel has an Origin Validation Error vulnerability - https://github.com/advisories/GHSA-qm9p-f9j5-w83w
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/@parcel/reporter-dev-server
  @parcel/config-default  2.3.1 - 2.14.4
  Depends on vulnerable versions of @parcel/bundler-default
  Depends on vulnerable versions of @parcel/compressor-raw
  Depends on vulnerable versions of @parcel/namer-default
  Depends on vulnerable versions of @parcel/optimizer-css
  Depends on vulnerable versions of @parcel/optimizer-htmlnano
  Depends on vulnerable versions of @parcel/optimizer-image
  Depends on vulnerable versions of @parcel/optimizer-svgo
  Depends on vulnerable versions of @parcel/optimizer-swc
  Depends on vulnerable versions of @parcel/packager-css
  Depends on vulnerable versions of @parcel/packager-html
  Depends on vulnerable versions of @parcel/packager-js
  Depends on vulnerable versions of @parcel/packager-raw
  Depends on vulnerable versions of @parcel/packager-svg
  Depends on vulnerable versions of @parcel/reporter-dev-server
  Depends on vulnerable versions of @parcel/resolver-default
  Depends on vulnerable versions of @parcel/runtime-browser-hmr
  Depends on vulnerable versions of @parcel/runtime-js
  Depends on vulnerable versions of @parcel/runtime-react-refresh
  Depends on vulnerable versions of @parcel/runtime-service-worker
  Depends on vulnerable versions of @parcel/transformer-babel
  Depends on vulnerable versions of @parcel/transformer-css
  Depends on vulnerable versions of @parcel/transformer-html
  Depends on vulnerable versions of @parcel/transformer-image
  Depends on vulnerable versions of @parcel/transformer-js
  Depends on vulnerable versions of @parcel/transformer-json
  Depends on vulnerable versions of @parcel/transformer-postcss
  Depends on vulnerable versions of @parcel/transformer-posthtml
  Depends on vulnerable versions of @parcel/transformer-raw
  Depends on vulnerable versions of @parcel/transformer-react-refresh-wrap
  Depends on vulnerable versions of @parcel/transformer-svg
  node_modules/@parcel/config-default
    @plasmohq/parcel-config  >=0.5.0
    Depends on vulnerable versions of @parcel/compressor-raw
    Depends on vulnerable versions of @parcel/config-default
    Depends on vulnerable versions of @parcel/core
    Depends on vulnerable versions of @parcel/optimizer-data-url
    Depends on vulnerable versions of @parcel/reporter-bundle-buddy
    Depends on vulnerable versions of @parcel/resolver-default
    Depends on vulnerable versions of @parcel/runtime-service-worker
    Depends on vulnerable versions of @parcel/transformer-babel
    Depends on vulnerable versions of @parcel/transformer-css
    Depends on vulnerable versions of @parcel/transformer-graphql
    Depends on vulnerable versions of @parcel/transformer-inline-string
    Depends on vulnerable versions of @parcel/transformer-js
    Depends on vulnerable versions of @parcel/transformer-less
    Depends on vulnerable versions of @parcel/transformer-postcss
    Depends on vulnerable versions of @parcel/transformer-raw
    Depends on vulnerable versions of @parcel/transformer-react-refresh-wrap
    Depends on vulnerable versions of @parcel/transformer-sass
    Depends on vulnerable versions of @parcel/transformer-svg-react
    Depends on vulnerable versions of @parcel/transformer-worklet
    Depends on vulnerable versions of @plasmohq/parcel-bundler
    Depends on vulnerable versions of @plasmohq/parcel-compressor-utf8
    Depends on vulnerable versions of @plasmohq/parcel-namer-manifest
    Depends on vulnerable versions of @plasmohq/parcel-optimizer-encapsulate
    Depends on vulnerable versions of @plasmohq/parcel-optimizer-es
    Depends on vulnerable versions of @plasmohq/parcel-packager
    Depends on vulnerable versions of @plasmohq/parcel-resolver
    Depends on vulnerable versions of @plasmohq/parcel-resolver-post
    Depends on vulnerable versions of @plasmohq/parcel-runtime
    Depends on vulnerable versions of @plasmohq/parcel-transformer-inject-env
    Depends on vulnerable versions of @plasmohq/parcel-transformer-inline-css
    Depends on vulnerable versions of @plasmohq/parcel-transformer-manifest
    Depends on vulnerable versions of @plasmohq/parcel-transformer-svelte
    Depends on vulnerable versions of @plasmohq/parcel-transformer-vue
    node_modules/@plasmohq/parcel-config
      plasmo  0.33.0 || >=0.51.0-alpha.1
      Depends on vulnerable versions of @parcel/core
      Depends on vulnerable versions of @parcel/fs
      Depends on vulnerable versions of @parcel/package-manager
      Depends on vulnerable versions of @plasmohq/parcel-config
      Depends on vulnerable versions of @plasmohq/parcel-core
      node_modules/plasmo

content-security-policy-parser  <0.6.0
Severity: high
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE - https://github.com/advisories/GHSA-w2cq-g8g3-gm83
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/content-security-policy-parser
  @plasmohq/parcel-transformer-manifest  *
  Depends on vulnerable versions of @parcel/core
  Depends on vulnerable versions of @parcel/fs
  Depends on vulnerable versions of @parcel/plugin
  Depends on vulnerable versions of @parcel/types
  Depends on vulnerable versions of content-security-policy-parser
  node_modules/@plasmohq/parcel-transformer-manifest

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/esbuild
  tsup  <=8.3.6
  Depends on vulnerable versions of esbuild
  node_modules/tsup
    @plasmohq/parcel-resolver-post  *
    Depends on vulnerable versions of @parcel/core
    Depends on vulnerable versions of @parcel/plugin
    Depends on vulnerable versions of @parcel/types
    Depends on vulnerable versions of tsup
    node_modules/@plasmohq/parcel-resolver-post

msgpackr  <1.10.1
Severity: high
msgpackr's conversion of property names to strings can trigger infinite recursion - https://github.com/advisories/GHSA-7hpj-7hhx-2fgx
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/lmdb/node_modules/msgpackr
  lmdb  2.6.0-alpha1 - 2.8.0
  Depends on vulnerable versions of msgpackr
  node_modules/lmdb
    @parcel/cache  2.8.4-nightly.0 - 2.9.3
    Depends on vulnerable versions of @parcel/fs
    Depends on vulnerable versions of lmdb
    node_modules/@parcel/cache
      @parcel/core  2.8.4-nightly.0 - 2.9.3
      Depends on vulnerable versions of @parcel/cache
      Depends on vulnerable versions of @parcel/fs
      Depends on vulnerable versions of @parcel/package-manager
      Depends on vulnerable versions of @parcel/plugin
      Depends on vulnerable versions of @parcel/types
      Depends on vulnerable versions of @parcel/workers
      node_modules/@parcel/core
        @plasmohq/parcel-bundler  0.5.1 || >=0.5.3
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        node_modules/@plasmohq/parcel-bundler
        @plasmohq/parcel-optimizer-es  0.3.1 || >=0.3.3
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        node_modules/@plasmohq/parcel-optimizer-es
        @plasmohq/parcel-runtime  0.19.3 || >=0.20.2
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        node_modules/@plasmohq/parcel-runtime
        @plasmohq/parcel-transformer-inline-css  0.3.5 || >=0.3.7
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        node_modules/@plasmohq/parcel-transformer-inline-css
        @plasmohq/parcel-transformer-svelte  *
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of svelte
        node_modules/@plasmohq/parcel-transformer-svelte
      @parcel/types  2.8.4-nightly.0 - 2.9.3
      Depends on vulnerable versions of @parcel/cache
      Depends on vulnerable versions of @parcel/fs
      Depends on vulnerable versions of @parcel/package-manager
      Depends on vulnerable versions of @parcel/workers
      node_modules/@parcel/types
        @parcel/fs  2.8.4-nightly.0 - 2.9.3
        Depends on vulnerable versions of @parcel/types
        Depends on vulnerable versions of @parcel/workers
        node_modules/@parcel/fs
          @parcel/node-resolver-core  2.8.4-nightly.0 - 3.0.3
          Depends on vulnerable versions of @parcel/fs
          node_modules/@parcel/node-resolver-core
        @parcel/package-manager  2.8.4-nightly.0 - 2.9.3
        Depends on vulnerable versions of @parcel/fs
        Depends on vulnerable versions of @parcel/node-resolver-core
        Depends on vulnerable versions of @parcel/types
        Depends on vulnerable versions of @parcel/workers
        node_modules/@parcel/package-manager
        @parcel/packager-html  2.8.4-nightly.0 - 2.9.3
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@parcel/packager-html
        @parcel/packager-svg  2.8.4-nightly.0 - 2.9.3
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@parcel/packager-svg
        @parcel/plugin  2.8.4-nightly.0 - 2.9.3
        Depends on vulnerable versions of @parcel/types
        node_modules/@parcel/plugin
          @parcel/bundler-default  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/bundler-default
          @parcel/compressor-raw  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/compressor-raw
          @parcel/namer-default  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/namer-default
          @parcel/optimizer-css  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/optimizer-css
          @parcel/optimizer-data-url  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/optimizer-data-url
          @parcel/optimizer-htmlnano  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/optimizer-htmlnano
          @parcel/optimizer-svgo  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/optimizer-svgo
          @parcel/optimizer-swc  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/optimizer-swc
          @parcel/packager-css  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/packager-css
          @parcel/packager-js  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/packager-js
          @parcel/packager-raw  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/packager-raw
          @parcel/reporter-bundle-buddy  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/reporter-bundle-buddy
          @parcel/resolver-default  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/node-resolver-core
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/resolver-default
          @parcel/runtime-browser-hmr  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/runtime-browser-hmr
          @parcel/runtime-js  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/config-default/node_modules/@parcel/runtime-js
          @parcel/runtime-react-refresh  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/runtime-react-refresh
          @parcel/runtime-service-worker  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/runtime-service-worker
          @parcel/transformer-babel  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-babel
          @parcel/transformer-css  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-css
          @parcel/transformer-graphql  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-graphql
          @parcel/transformer-html  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-html
          @parcel/transformer-inline-string  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-inline-string
          @parcel/transformer-json  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-json
          @parcel/transformer-less  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-less
          @parcel/transformer-postcss  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-postcss
          @parcel/transformer-posthtml  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-posthtml
          @parcel/transformer-raw  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-raw
          @parcel/transformer-react-refresh-wrap  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-react-refresh-wrap
          @parcel/transformer-sass  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-sass
          @parcel/transformer-svg  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-svg
          @parcel/transformer-svg-react  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-svg-react
          @parcel/transformer-worklet  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@parcel/transformer-worklet
          @plasmohq/parcel-compressor-utf8  0.0.1 || >=0.0.5
          Depends on vulnerable versions of @parcel/plugin
          node_modules/@plasmohq/parcel-compressor-utf8
        @parcel/workers  2.8.4-nightly.0 - 2.9.3
        Depends on vulnerable versions of @parcel/types
        node_modules/@parcel/workers
          @parcel/optimizer-image  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          Depends on vulnerable versions of @parcel/workers
          node_modules/@parcel/optimizer-image
          @parcel/transformer-image  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          Depends on vulnerable versions of @parcel/workers
          node_modules/@parcel/transformer-image
          @parcel/transformer-js  2.8.4-nightly.0 - 2.9.3
          Depends on vulnerable versions of @parcel/plugin
          Depends on vulnerable versions of @parcel/workers
          node_modules/@parcel/transformer-js
        @plasmohq/parcel-namer-manifest  >=0.3.9
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@plasmohq/parcel-namer-manifest
        @plasmohq/parcel-optimizer-encapsulate  0.0.3 || >=0.0.5
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@plasmohq/parcel-optimizer-encapsulate
        @plasmohq/parcel-packager  0.6.10 || >=0.6.12
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@plasmohq/parcel-packager
        @plasmohq/parcel-resolver  0.12.5 || >=0.13.0
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@plasmohq/parcel-resolver
        @plasmohq/parcel-transformer-inject-env  0.2.8 || >=0.2.10
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@plasmohq/parcel-transformer-inject-env
        @plasmohq/parcel-transformer-vue  *
        Depends on vulnerable versions of @parcel/core
        Depends on vulnerable versions of @parcel/plugin
        Depends on vulnerable versions of @parcel/types
        node_modules/@plasmohq/parcel-transformer-vue
      @plasmohq/parcel-core  0.1.2 || >=0.1.5
      Depends on vulnerable versions of @parcel/cache
      Depends on vulnerable versions of @parcel/core
      Depends on vulnerable versions of @parcel/fs
      Depends on vulnerable versions of @parcel/package-manager
      Depends on vulnerable versions of @parcel/plugin
      Depends on vulnerable versions of @parcel/types
      Depends on vulnerable versions of @parcel/workers
      node_modules/@plasmohq/parcel-core

svelte  <4.2.19
Severity: moderate
Svelte has a potential mXSS vulnerability due to improper HTML escaping - https://github.com/advisories/GHSA-8266-84wp-wv5c
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/svelte


70 vulnerabilities (3 moderate, 67 high)

      Depends on vulnerable versions of @parcel/plugin
      Depends on vulnerable versions of @parcel/types
      Depends on vulnerable versions of @parcel/workers
      node_modules/@plasmohq/parcel-core

svelte  <4.2.19
Severity: moderate
Svelte has a potential mXSS vulnerability due to improper HTML escaping - https://github.com/advisories/GHSA-8266-84wp-wv5c
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/svelte


70 vulnerabilities (3 moderate, 67 high)


svelte  <4.2.19
Severity: moderate
Svelte has a potential mXSS vulnerability due to improper HTML escaping - https://github.com/advisories/GHSA-8266-84wp-wv5c
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/svelte


70 vulnerabilities (3 moderate, 67 high)

Severity: moderate
Svelte has a potential mXSS vulnerability due to improper HTML escaping - https://github.com/advisories/GHSA-8266-84wp-wv5c
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/svelte


70 vulnerabilities (3 moderate, 67 high)

-84wp-wv5c
fix available via `npm audit fix --force`
Will install plasmo@0.50.1, which is a breaking change
node_modules/svelte


70 vulnerabilities (3 moderate, 67 high)

Will install plasmo@0.50.1, which is a breaking change
node_modules/svelte


70 vulnerabilities (3 moderate, 67 high)



70 vulnerabilities (3 moderate, 67 high)

70 vulnerabilities (3 moderate, 67 high)


To address issues that do not require attention, run:
  npm audit fix
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
```

### (OPTIONAL) Contribution

- [ ] I would like to fix this BUG via a PR

### Code of Conduct

- [x] I agree to follow this project's Code of Conduct
- [x] I checked the [current issues](https://github.com/PlasmoHQ/plasmo/issues?q=is%3Aopen+is%3Aissue+label%3Abug) for duplicate problems.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[BUG] High vulnerabilities on npm install due to internal Plasmo dependencies (@parcel) #1329

What happened?

Version

What OS are you seeing the problem on?

What browsers are you seeing the problem on?

Relevant log output

(OPTIONAL) Contribution

Code of Conduct

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

[BUG] High vulnerabilities on npm install due to internal Plasmo dependencies (@parcel) #1329

Description

What happened?

Version

What OS are you seeing the problem on?

What browsers are you seeing the problem on?

Relevant log output

(OPTIONAL) Contribution

Code of Conduct

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions