Bump ssri dependency from 6.0.1 to 6.0.2 to address CVE-2021-27290

[Zajn]

This bumps ssri to 6.0.2 to address CVE-2021-27290. The original issue was closed after 15.0.6 was released, but many people rely on v12 due to usage of Webpack 4.

References

Related to #47

[Zajn]

Hi, I'm hoping this might help get the ssri bump backported to v12, which I think many people rely on due to Webpack v4.

I tried to follow a CI example for testing and tests appeared to pass for me locally using:
Node v12.21.0
npm v7.7.5

I can see, however, that all CI checks have failed.

[pedelman]

v6.0.2 is released, we should be able to use that here.

npm/ssri#18 (comment)

[Zajn]

Awesome, thanks! I'll update and hopefully that'll break fewer tests :)

[Zajn]

That did the trick!

[pedelman]

@isaacs @wraithgar @claudiahdz

Appreciate if someone can help take a look at this PR, it should resolve CVE-2021-27290 now that ssri has back ported the regex fix to v6.0.2. This change is important for webpack v4 users, more discussion here: webpack-contrib/terser-webpack-plugin#388.

Also I noticed that the Contributor Guide link in the README is no longer working, please inform if there are any additional steps for this!

Thank you 😄

[wraithgar]

This PR is still on our radar, but since we published ssri@6.0.2 users already have a path to resolution.

Webpack 4 users who are keeping current on their subdependencies will get the proper ssri version now:

~/D/n/t $ npm i webpack@4 --loglevel silent
~/D/n/t $ npm ls ssri
t@1.0.0 /Users/wraithgar/Development/npm/t
└─┬ webpack@4.46.0
  └─┬ terser-webpack-plugin@1.4.5
    └─┬ cacache@12.0.4
      └── ssri@6.0.2

[G-Rath]

@wraithgar

This PR is still on our radar, but since we published ssri@6.0.2 users already have a path to resolution.

Only in some cases - later versions of terser-webpack-plugin pull in higher versions of cacache, including ones that pull in ssri@7, which hasn't been backported yet; while webpack is pulling in v1 of the terser plugin, it seems a lot of other ecosystems are pulling in the higher versions (i.e laravel-mix, which provides webpack for PHP Laravel apps, and @rails/webpacker which provides webpack for Ruby on Rails apps).

I've opened npm/ssri#20 backporting the fix to v7 - if we could get that landed then I think we can say the majority (if not all) of users should have an easy path to resolution :)

[nlf]

closing. semver is already ensuring that users who install cacache@12 will receive an up to date and patched ssri dependency, this change is effectively nothing but updating the package-lock.json in the repo which is unnecessary since it's not a part of the published package anyway.

a fix was backported to ssri@7 which closes the loop on the rest of the concerns noted in this issue.