[BUG] CVE-2021-27290 due to using old version of ssri

[candrews]

Can you please make new releases when this issue is fixed?

Versions 15.0.6 and 12.0.5 (a 12.x release would be nice because many projects depend on cache 12.x).

What / Why

CVE-2021-27290

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

The fix is to bump ssri to 8.0.1.

When

• n/a

Where

• n/a

How

Current Behavior

• n/a

Steps to Reproduce

• n/a

Expected Behavior

• n/a

Who

• n/a

References

• n/a

[WayneEllery]

Since terser-webpack-plugin for webpack v4 depends on 12.x it would be great if 12 could be patched

[wraithgar]

this module has been updated and the next cli release will include this change

[AndrewGibson27]

@wraithgar Thanks a ton for this fix. Is it possible to also update the ssri dependency in 12.x of this project? For Webpack 4 support.

[dalbitresb12]

@wraithgar Strapi also depends on cacache@12.0.4. Is it possible to port this fix for v12? Thanks.

[awebdev]

+1 for adding this patch into v12

[Zajn]

I attempted to backport the bump to v12 and opened a PR, but all the tests that passed for me locally failed in CI. I'm not intimately familiar with node development, so maybe someone more knowledgeable would be able to help me get that in a passing state.

[AndrewGibson27]

@Zajn Thanks for opening that PR. I spun it up locally but am also getting failing tests.

In the terser-webpack-plugin repo, @WayneEllery made a great point here about Node-version compatibility. ssri@8.x removes support for Node versions below 8. The package.json of cacache@12.x doesn't have an engines field, so I assume it supports all Node versions. Thus, bumping to ssri@8.x for v12 of this project could constitute a breaking change.

Something else I'm wondering about: According to the vulnerability report, "this issue only affects consumers using the strict option." Does v12 of this project even use the strict option? I did a quick browse thru v12 of the code base, and this line is the only thing that jumps out at me.

Finally, I started an issue in the ssri repo asking about protocol for porting the security fix into v6 of that package.

[Zajn]

Thus, bumping to ssri@8.x for v12 of this project could constitute a breaking change.

Does v12 of this project even use the strict option? I did a quick browse thru v12 of the code base, and this line is the only thing that jumps out at me.

@AndrewGibson27 Both good points. I don't know enough about the project to definitively say yes or no to the usage of strict, but it doesn't appear to me that any of the usages of ssri here do.

I've never done any Node development, so I may have run the tests improperly which gave me a passing result. Locally, I just installed dependencies via npm install and then ran npm test.

Finally, I started an issue in the ssri repo asking about protocol for porting the security fix into v6 of that package.

Thanks for doing that!

[pedelman]

FYI ssri v6.0.2 released.
npm/ssri#18 (comment)