High Advisory On npm audit

[Akiharanza]

Details of Audit

On 17th August 2020, there was been a security issue that was raised with url-regex. Details are as follows:

  High            Regular Expression Denial of Service                          

  Package         url-regex                                                     

  Patched in      No patch available                                            

  Dependency of   backstopjs [dev]                                              

  Path            backstopjs > merge-img > jimp > url-regex                     

  More info       https://npmjs.com/advisories/1550  

Unfortunately, backstopjs is last in the queue for updates as awaiting for the following to be completed:

jimp-dev/jimp#926
preco21/merge-img#15

Replication Steps

Run npm audit
Notice the "high" severity vulnerability

[garris]

Both of these are part of a hack that was created to compensate for a puppeteer issue related to capturing full screen in some edge cases. I don't think we ever documented this hack so it is ok to remove if the author doesn't respond.

[garris]

Oh crap, scratch that, I was wrong. It was documented. https://github.com/garris/BackstopJS

It would be better to fix this feature but again -- I am still ok to remove if this is too complex to maintain.

[stoyko-stanchev-pfpt]

Hey @garris - not sure what you meant regarding maintenance. It has been a while and it doesn't seem like the author of merge-img is too active (preco21/merge-img#16).

[wiesesascha]

I would appreciate an update on this issue.
Due to customers restrictions we are not allowed to install dependencies with high severity vulnerability and can not use backstopJS so long.. :'(

[garris]

merge-img package was used in a hack to enable capture of very long web pages. I don't think this is required anymore.

If someone would like to remove this package and remove the code path which called this package I would gladly approve that PR.

[wiesesascha]

I‘ll try my best to contribute next week :)