ReDoS security issues that may require Nuxt v3 upgrade

[wesley-dean-gsa]

User Story

As a BEARS security engineer, in order to address outstanding ReDoS security findings, I would like update our dependencies to incorporate ReDoS-resistant tooling .

Security findings 6 (css-what) and 10 (glob-parent) relate to our use of Nuxt v2.15.8. These findings are both considered "moderate" and relate to "ReDoS" (Regular Expression Denial of Service) vulnerabilities.

Unfortunately, 2.15.8, released on August 11, 2021, is the current release. The most recent commit to the default branch was on December 17, 2021.

It appears that nuxt v2 isn't receiving active development. Issue #9284 was created when the issue was discovered. It seems like attention is being focused on v3 and the v2 => v3 bridge projects.

For what it's worth, a release candidate of v3 is currently (May, 2022) available. That said, v2 => v3 is a major release and, by semantic versioning standards, involves changes that are not backwards-compatible. It's entirely possible that we'll need to rewrite some code to go from v2 to v3.

Pre-conditions:

• a version of Nuxt is available that address concerns with css-what and glob-parent

Acceptance Criteria:

• security finding 6 is addressed
• security finding 10 is addressed

Definition of Done:

• Code complete
• Tests coverage is greater than team benchmark (90% goal)
• Security scans passed
• Acceptance Criteria is met and it works as expected
• Accessibility tested
• Build process and deployment is automated and repeatable
• Load testing/performance testing
• Self Documentation whenever possible
• Feature toggles if appropriate
• Deployed to staging
• Usability testing
• PR approved / Peer reviewed
• PO approved