'npm audit' outputs warnings if you are running versions of node modules with known security problems. These are not necessarily exploitable in the context of Matomo but its still nice to tidy them up.
On current 4.x-dev I get the following.
# npm audit report jquery <=3.4.1 Severity: high Cross-Site Scripting - https://npmjs.com/advisories/1518 Cross-Site Scripting (XSS) - https://npmjs.com/advisories/328 Prototype Pollution - https://npmjs.com/advisories/796 fix available via `npm audit fix --force` Will install jquery<a class='mention' href='https://github.com/3'>@3</a>.6.0, which is a breaking change node_modules/jquery materialize-css * Severity: moderate Cross-Site Scripting - https://npmjs.com/advisories/817 No fix available node_modules/materialize-css 2 vulnerabilities (1 moderate, 1 high)
'npm audit' should give Matomo a clean bill of health.
Warnings about problem dependencies are listed.
1) Upgrade jquery to >= 3.6.0 from 2.2.4
2) materialize-css needs to fix this open issue however a fix has been slow to appear https://github.com/Dogfalo/materialize/issues/6286. Failing that it may be worth seeing if another module can replace it. Or we can just ignore the warning about materialize-css but that doesn't feel great.
As an aside, it appears that the contents of node_modules is in source control in the Matomo repo. Is that just to be absolutely certain of what version of the dependencies are in use?
Matomo is not affected by the jquery vulnerability (if you can reproduce a security issue, please report it to https://matomo.org/security/). See also https://github.com/matomo-org/matomo/issues/17272
I'm not sure if the materialize-css issues are affecting Matomo (I don't think so), but I guess there is also not much that can be done apart from waiting for the fork to become stable (unless again someone can reproduce a specific security issue affecting Matomo) https://github.com/matomo-org/matomo/issues/16368
I would be quite surprised if any of these vulnerabilities were exploitable within Matomo (although its not impossible). Checking for vulnerable node dependencies is just a code hygiene task I do every so often :)
Reading the issue you linked it sounds like the jquery upgrade is already well under way.