ssri 6.0.1 vulnerability

[networkandcode]

Hi, Prisma cloud scan for our docker container which has node 12 and npm 6.14.12 detected a vulnerability for the ssri 6.0.1 package. Any solution for this please.

Description of the vulnerability and fix below:
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Steps in Dockerfile we used to install node12 and npm:

RUN curl -sL https://deb.nodesource.com/setup_12.x | bash 
RUN apt install -y nodejs

# Upgrade npm to 6.14.12
RUN npm install npm@6 -g

[nlf]

we've already published ssri@6.0.2 that resolves this vulnerability and npm@6.14.12 that includes this update. advisory databases are still being updated to reflect the fix.

[networkandcode]

@nlf not sure why the scan still shows ssri@6.0.1 even after updating npm to 6.14.12

[dywilson-firstam]

@networkandcode, fyi the upgrade to ssri@6.0.2 was done in npm 6.14.13.

@nlf, am I to assume the upgrade to hosted-git-info@2.8.9 also in npm 6.14.13 was to resolve CVE-2021-23362?