Failing security checks because of CVE-2021-27290

[undergroundwires]

❗️ Note: This is not affecting any of the privacy.sexy users, it is a DoS vulnerability (see CVE) in developer dependency vue-cli v4.

We cannot monkey patch this so we should wait for the new releases for the dependencies.

Vue CLI depends on vulnerable zkat/ssri versions through:

1. Direct dependency to ssri
   • ssri published a new release for the new version in 8.0.1
   • ssri backported the fix and released 6.0.2 (QUESTION: What branch to merge into for v6 patches? npm/ssri#18) that is used by webpack 4
   • there's an open PR for backporting to 7.0.2 (fix: backport regex change from 8.0.1 npm/ssri#20)
2. webpack 4 dependency through webpack-contrib/terser-webpack-plugin
   • webpack depends on terser-webpack-plugin with a dependency to the vulnerable ssri ([BUG] CVE-2021-27290 due to using old version of ssri webpack-contrib/terser-webpack-plugin#388)
3. zkat/cacache dependency
   • cacache that depends on vulnerable ssri has bumped its dependency version ([BUG] CVE-2021-27290 due to using old version of ssri  npm/cacache#47) in newer versions(v15). However webpack 4 depends on older (v12) and ssri bump is not backported on it yet (Bump ssri dependency from 6.0.1 to 6.0.2 to address CVE-2021-27290 npm/cacache#49).

There's an open issue on vuejs/vue-cli#6424 that has not been addressed yet.

Vulnerability has made it npm audit database.

Security checks pipeline is failing since yesterday because of npm audit mentioning this, see related GitHub actions run

see npm audit report

# npm audit report

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix --force`
Will install @vue/cli-service@4.1.1, which is a breaking change
node_modules/@vue/cli-service/node_modules/ssri
node_modules/ssri
  @vue/cli-service  4.0.0-alpha.0 - 4.5.12
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of terser-webpack-plugin
  node_modules/@vue/cli-service
  cacache  10.0.4 - 11.0.0 || 13.0.0 - 14.0.0
  Depends on vulnerable versions of ssri
  node_modules/@vue/cli-service/node_modules/cacache
    terser-webpack-plugin  2.1.1 - 2.3.8
    Depends on vulnerable versions of cacache
    node_modules/@vue/cli-service/node_modules/terser-webpack-plugin

4 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

[G-Rath]

there's an open PR for backporting to 8.0.1 (npm/ssri#20)

this is backporting from 8.0.1, into v7 :)

[undergroundwires]

Oops 😀 Thanks for the info (edited the story) and the PR, hope it gets merged soon!