Transitive Dependency to hosted-git-info (CVE-2021-23362)

[joyheron]

I currently have the following error from my npm audit:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-config-fnd [dev]                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-config-fnd > eslint-plugin-import > read-pkg-up >     │
│               │ read-pkg > normalize-package-data > hosted-git-info          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

I'm hoping this can be solved by a dependency update to the library?

[FND]

I'm not quite sure what's going on here:

$ npm audit
# npm audit report

hosted-git-info  <3.0.8
Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
fix available via `npm audit fix --force`
Will install eslint-plugin-import@2.2.0, which is a breaking change
node_modules/hosted-git-info
  normalize-package-data  2.0.0 - 2.5.0
  Depends on vulnerable versions of hosted-git-info
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/read-pkg-up
        eslint-plugin-import  >=2.3.0
        Depends on vulnerable versions of read-pkg-up
        node_modules/eslint-plugin-import
          eslint-config-standard  >=11.0.0-beta.0
          Depends on vulnerable versions of eslint-plugin-import
          node_modules/eslint-config-standard

npm audit fix --force results in downgraded dependencies:

-               "eslint-config-standard": ">=16",
+               "eslint-config-standard": "^10.2.1",
-               "eslint-plugin-import": ">=2.22.1",
+               "eslint-plugin-import": "^2.2.0",

which is most unhelpful

this stuff makes my head hurt, so I'm not currently sure whether there's anything I can do about it at this level, I'm afraid

[joyheron]

maybe we should just wait a while and hope that the eslint-plugin-import fixes the problem

[FND]

looks like it's already underway:
import-js/eslint-plugin-import#2048
import-js/eslint-plugin-import#2047

[FND]

transitive dependency should be fixed now?

[joyheron]

Yes, thanks! I had to upgrade eslint, but now all vulnerabilities are fixed.