Is it possible to remove the vulnerability introduced by ajv?

[evansrobert]

Hi, @MikeRalphson, I stumbled upon a high severity vulnerability introduced by package ajv@5.5.2:

Issue Description

When I build my project, I notice that a vulnerability(high severity) CVE-2020-15366 detected in package ajv<6.12.3 is directly referenced by oas-validator@4.0.8.
However, oas-validator@4.0.8 is so popular that a large number of latest versions of active and popular downstream projects depend on it (79,470 downloads per week and about 42 downstream projects, e.g., @redocly/developer-portal 1.0.0-beta.161, @redocly/reference-docs-lib 1.3.26, @redocly/redoc-int 2.0.0-rc.62, @mojaloop/central-services-shared 13.0.5, @adobe/parliament-ui-components 4.6.2, etc.).
In this case, the vulnerability CVE-2020-15366 can be propagated into these downstream projects and expose security threats to them.
As you can see, oas-validator@4.0.8 is introduced into the above projects via the following package dependency paths:
(1)@adobe/gatsby-theme-aio@3.15.0 ➔ @adobe/parliament-site-search-index@0.0.4 ➔ widdershins@4.0.1 ➔ swagger2openapi@6.2.3 ➔ oas-validator@4.0.8 ➔ ajv@5.5.2
......

I know that it's kind of you to have removed the vulnerability since oas-validator@5.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade oas-validator from version 4.0.8 to (>=5.0.0):
The projects such as widdershins, which introduced oas-validator@4.0.8, are not maintained anymore. These unmaintained packages can neither upgrade oas-validator nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package oas-validator@4.0.8 ?

Suggested Solution

Since these inactive projects set a version constaint 4.0.* for oas-validator on the above vulnerable dependency paths, if oas-validator removes the vulnerability from 4.0.8 and releases a new patched version oas-validator@4.0.9, such a vulnerability patch can be automatically propagated into the downstream projects.

In oas-validator@4.0.9, maybe you can try to perform the following upgrade:
ajv ^5.5.2 ➔ ^6.12.3;
Note:
ajv@6.12.3(>=6.12.3) has fixed the vulnerability CVE-2020-15366.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.

Best regards,
^_^

[MikeRalphson]

widdershins is still maintained, and the next release will use the latest version of oas-validator. I'm not sure why any other projects would have problems migrating to the later version, unless you have specific information?

[evansrobert]

@MikeRalphson Thank you for your feedback. Since the latest version(4.0.1) of widdershins was released a year ago, I mistakenly assumed it was no longer maintained. Of course, if you can kindly release a new pached version widdershins@4.0.2 which uses the latest version of oas-validator, such a vulnerability patch can also be automatically propagated into the downstream projects. And please let me know that. Thanks again.^_^