[Bug] nyc-test-coverage uses unmaintained istanbul-instrumenter-loader

[joebowbeer]

What are you really trying to do?

nyc-test-coverage uses unmaintained (archived) istanbul-instrumenter-loader, which results in npm audit findings

Describe the bug

Installing prints several deprecation warnings:

npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install @temporalio/[email protected], which is a breaking change
node_modules/@temporalio/nyc-test-coverage/node_modules/schema-utils/node_modules/ajv
  schema-utils  <=0.4.3
  Depends on vulnerable versions of ajv
  node_modules/@temporalio/nyc-test-coverage/node_modules/schema-utils
    istanbul-instrumenter-loader  >=3.0.0-beta.0
    Depends on vulnerable versions of schema-utils
    node_modules/@temporalio/nyc-test-coverage/node_modules/istanbul-instrumenter-loader
      @temporalio/nyc-test-coverage  >=1.3.0
      Depends on vulnerable versions of istanbul-instrumenter-loader
      node_modules/@temporalio/nyc-test-coverage

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/@temporalio/nyc-test-coverage/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/@temporalio/nyc-test-coverage/node_modules/webpack

9 vulnerabilities (4 moderate, 5 high)

Minimal Reproduction

1. https://gitpod.io#https://github.com/joebowbeer/temporal-pendulum/tree/patch-client-workflow
2. cd position-node
3. npm ci
4. npm audit

Additional context

See #872

[bergundy]

Looks like that lib is just a few lines: https://github.com/webpack-contrib/istanbul-instrumenter-loader/blob/master/src/index.js