npm audit is reporting a security vulnerability when installing amplitude-js

[jlecomte]

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ amplitude-js                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ amplitude-js > @segment/top-domain > component-cookie >      │
│               │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 55729 scanned packages
  1 vulnerability requires manual review. See the full report for details.

$ npm ls
...
├─┬ amplitude-js@4.5.1
│ ├─┬ @segment/top-domain@3.0.0
│ │ ├─┬ component-cookie@1.1.4
│ │ │ └─┬ debug@2.2.0
...

The @segment/top-domain package has not been updated in 2 years. I suggest switching to something else, or building that functionality yourself...

[vtereshyn]

any updates here?

[blazzy]

v4.6.0 will address this.

You can try out version 4.6.0-beta.1 which is published to npm.

https://www.npmjs.com/package/amplitude-js/v/4.6.0-beta.1

[vtereshyn]

@blazzy when are you planning to release v4.6.1?

[mkj28]

@blazzy any updates on v4.6.x release?

[blazzy]

It's live. Unfortunately some rollup dependencies are now failing yarn audit.

This shouldn't have any actual security implications. But a new version will roll out shortly.