Security: 61 vulnerabilities in dev dependencies (dumi/umi/webpack toolchain)

[dataCenter430]

Summary

npm audit reports 61 vulnerabilities (25 high, 28 moderate, 8 low) when dev dependencies are included. They come from the docs/build toolchain (dumi, umi, webpack, father, etc.), not from the published library’s production dependencies.

Impact

• Production / published package: No impact — npm audit --omit=dev shows 0 vulnerabilities.
• Developers & CI: Anyone running npm install, npm run build, npm run compile, or npm start (dumi dev) installs and uses these vulnerable dev dependencies.

Notable advisories (high severity)

• serialize-javascript — RCE via RegExp.flags / Date.prototype.toISOString
• minimatch — ReDoS
• node-fetch — header forwarding / redirect size issues
• path-to-regexp — backtracking ReDoS
• nth-check — ReDoS
• Plus moderate issues in @babel/runtime, esbuild, react-router, ajv, elliptic, send, etc.

Suggested actions

1. Run npm audit and, where safe, npm audit fix (avoid --force unless you accept breaking changes).
2. Upgrade dumi/umi and related tooling to versions that depend on patched packages.
3. Optionally track this in CI (e.g. npm audit --audit-level=high) so regressions are caught.

Hey, @afc163 are you able to assign it to me, if needed?
Best regards.