[@open-wc/eslint-config]: severity vulnerability in trim-newlines

[jarrodek]

Yesterday I started seeing audit reports like this:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.1 <4.0.0 || >=4.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @open-wc/eslint-config [dev]                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @open-wc/eslint-config > eslint-plugin-wc >                  │
│               │ validate-element-name > meow > trim-newlines                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1753                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1162 scanned packages
  1 vulnerability requires manual review. See the full report for details.

If possible, please, update the dependency.

[stephenwade]

This vulnerability doesn't affect meow and therefore doesn't affect us. You don't need to worry about it. sindresorhus/meow#185 (comment)

Fixing the alert will depend on all the packages in the chain updating to a version that doesn't trigger it. meow and validate-element-name have already been updated, but they also are ESM-only packages now and I don't know if eslint-plugin-wc can move to ESM yet. If that happens then @open-wc/eslint-config can update and resolve the alert, but I don't know if it will happen soon.

[jarrodek]

I have to comply with organization standards and each alert like this means tons of messages from the info sec team to fix this and me explaining that this is a dev dependency and not really directly causing a vulnerability. It's not bad, but it is a pain :)

[stale]

Hi everyone! Seems like there hasn't been much going on in this issue lately. If there are still questions, comments, or bugs, please feel free to continue the discussion. Unfortunately, we don't have time to get to every issue. We are always open to contributions so please send us a pull request if you would like to help. Inactive issues will be closed after 30 days. Thanks!

[sanmai-NL]

The stale bot may clean up issues for new features that do not gain traction, but of course not for QA issues. Please fix the bot.