I have installed the Linter package and the ccslint and htmllint. To instal the last two I have had to instal Node.js on my Mac.

The CSS and HTML linters appear to work fine in Sublime.

However, when I installed the htmllint by typing the following into Terminal

sudo npm install -g htmlhint@latest

I get the following worrying message in Terminal:

In Terminal I’ve typed in and pressed enter:

npm audit fix --force

I get the following

When I installed Node I got the following message, which I don’t understand and have not done anything with

screenshot A.png694×508 72.1 KB

Help!

I’d suggest asking on a forum related to npm or node. This has nothing to do with Sublime Text.

The vulnerabilities are nothing to do with NodeJS – they are vulnerabilities in the SublimeLinter-csslint and SublimeLinter-contrib-htmlhint packages.

What can I do about this?

Specifically they’re related to the NodeJS packages that those Sublime Text packages are installing in order to get the tooling they need to perform their function.

In any case, the appropriate vector for help with a Sublime Text package is the author of the package itself.

Those ST packages use those npm packages, yes, but those npm packages are unrelated to ST in the same way that node and JavaScript themselves are unrelated to ST. You could bring it up with the relevant ST package author, but you’ll most likely end up looking at htmlhint in isolation.

When I installed csslint, Terminal displayed a vulnerability message. I then installed htmllint and it displayed more vulnerabilities. So it wasn’t just the htmllint.

I have no idea how to contact the people who make these packages. I’ve never used Git and can’t see a way to contact them anyway. There doesn’t seem to be an email address or phone number.

Searching for npm and htmllint leads to https://www.npmjs.com/package/htmllint, leading to this github repository https://github.com/htmllint/htmllint and this issue which seems to indicate it’s no longer maintained: https://github.com/htmllint/htmllint/issues/279

The problem is ultimately related to Node.js and it’s package manager NPM. The way NPM works is that it informs end users about any vulnerabilities in the installed package (whether they are just potential or actual). The fact that you get a warning about a vulnerability doesn’t necessary mean you’re exposed to a direct risk, but the package(s) being listed do contain intrinsic vulnerabilities which may be exploited by malicious third parties.

The point is that if you decide to install Node.js you sort of have to live with that because you’ll inevitably end up getting these notices. Often a package which wasn’t flagged as containing a vulnerability will end up being flagged after an update (of the package or NPM) because a new vulnerability was discovered in the meantime, so the package(s) no longer passes the security test.

Node packages rely on other packages, so it’s common to bump into such notices, especially if the flagged package is no longer being updated by its creator (which is often the case). Also, Node.js has a fairly fast development cycle, so unmaintained packages can quickly end up being flagged, e.g. if they use features which have become deprecated.

These problems are not exclusive to Node.js/NPM, for the same principles apply to any language which uses a package manager. At least NPM informs you about them. But possibly with NPM the situation is somewhat accentuated because there is a tendency to overuse third party packages even for simple tasks — a well known example of this was NPM’s “left-pad”, a package consisting of 11 lines of code to handle text padding; when in 2016 the package was deleted the entire Internet experienced sever services breakdown for days:

• How one programmer broke the internet by deleting a tiny piece of code

I personally find it excessive that any application should depend on a third party package for a single function as simple as text padding, especially in an ecosystem fast-evolving as Node/NPM, but that’s just my personal opinion, and the rest is history.

Bottom line, if you decide that you need to install Node.js because you need some of its NPM packages, you’ll have also to accept the fact that from time to time you’ll see these vulnerabilities warning, since not all packages are promptly updated (bear in mind that most of these packages are maintained by volunteers who work on them in their free time). Unless the culprit package is abandoned, chances are that eventually it will be updated and the vulnerability resolved. But often you’ll be dealing with long dead packages, so unless the author of the package depending on the former finds an alternative package to use or, failing that, re-implements it from scratch, these warnings might end up showing for quite some time.

Thank you for your comprehensive reply. Given that I don’t know what I’m doing I’ve decided to be cautious and have (I think) deleted both the Sublime Packages and node.js. I’m disappointed that to instal certain Sublime packages I also have to instal node.js. It isn’t a straight forward process.

You’re going to bump into Node.js again and again when doing web development anyway.

You are concerned about those vulnerabilities in context of running local services. The major issue though is those to run the worlds critical infrastructure and nearly everything connected to the web.

This is a really excellent point and one that keeps me awake at night @deathaxe - only half joking.

I’m heartened that the OP wasn’t jaded enough to just accept the warnings and continue - probably not feasible in the long term unfortunately.