@japa/assert depends on api-contract-validator that has security vulnerabilities

[ThisIsMissEm]

Package version

3.0.0

Describe the bug

After doing a fresh install of @japa/assert version 3.0.0 in a fresh adonis.js project, npm audit yells about a Prototype Pollution in lodash security vulnerability - GHSA-p6mc-m468-83gw

It seems that this comes from the api-contract-validator plugin; Looking at their repository, it looks like this package has become unmaintained as it hasn't seen a commit in 2 years, and has lots of open pull requests.

It may be an idea to fork into a @japa/api-contract-validator package, such that you can maintain this dependency that seems fairly critical to @japa/assert, since upstream isn't maintaining the api-contract-validator package.

Reproduction repo

No response

[ThisIsMissEm]

I asked this on the Adonis Discord, and was suggested to open an issue here.

[NicolasMarino]

+1

[thetutlage]

It will be a huge task to maintain one more package without completely understanding the OpenAPI spec (I am not an expert with it 😄).

So, for now, I will keep this issue open and see if I am willing to fork and maintain it anytime soon.

Meanwhile, if you come across another well-maintained package, then do update this thread, and we can move to that package (if it looks like a good alternative)

[ThisIsMissEm]

@thetutlage what about moving api assertions into a separate package? That way you've a secure core, without the need to maintain the dependency?

(Of course it is one more package to maintain)

[thetutlage]

Yeah we can do that in the next coming major release. The API schema assertions can be its own Japa plugin.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[RomainLanz]

Keep open

[jorisvilardell]

Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install @japa/assert@1.2.4, which is a breaking change
node_modules/lodash.set
  api-contract-validator  >=2.1.0
  Depends on vulnerable versions of lodash.set
  node_modules/api-contract-validator
    @japa/assert  >=1.3.0
    Depends on vulnerable versions of api-contract-validator
    node_modules/@japa/assert
      @japa/api-client  >=2.0.0-0
fix available via `npm audit fix --force`
Will install @japa/assert@1.2.4, which is a breaking change
node_modules/lodash.set
  api-contract-validator  >=2.1.0
  Depends on vulnerable versions of lodash.set
  node_modules/api-contract-validator
    @japa/assert  >=1.3.0
    Depends on vulnerable versions of api-contract-validator
    node_modules/@japa/assert
      @japa/api-client  >=2.0.0-0
      Depends on vulnerable versions of @japa/assert
      node_modules/@japa/api-client
        @adonisjs/auth  >=9.0.0-0
        Depends on vulnerable versions of @japa/api-client
        Depends on vulnerable versions of @japa/plugin-adonisjs
        node_modules/@adonisjs/auth
        @japa/plugin-adonisjs  >=2.0.0-0
        Depends on vulnerable versions of @japa/api-client
        node_modules/@japa/plugin-adonisjs

[marvin-wtt]

Any update on this?

[thetutlage]

Nope. No updates. Feel free to send a PR with the fix 👍