node_modules bundled with dependency, include vulnerable version of semver

[ineffyble]

Your environment

op-js version: 0.1.9

CLI version: 2.14.0

OS: MacOS

What happened?

The published package for op-js 0.1.9 includes its own bundled node_modules folder, and this contains semver 7.5.1 which is vulnerable to CVE-2022-25883

What did you expect to happen?

Generally NPM packages are not expected to include their own node_modules, so that the package manager can resolve a single version that meets the requirements of all dependencies.

If node_modules does have a reason to be included, I'd like semver updated to a non-vulnerable version so that there are no alerts from vulnerability scanners

Notes & Logs

The vulnerability in question is one that's likely less applicable in the contexts op-js might be used, being a Regular Expression Denial of Service issue. However, the inclusion still creates vulnerability alerts.

[jodyheavener]

Hi @ineffyble, thanks for filing this issue about the dependency and bringing attention to our bundled code approach. I'll be updating the dependency shortly, and we'll also likely update how we're shipping this package so that the dependency isn't directly embedded/shipped. You are correct in that it shouldn't be bundled this way. Thanks again!

[jodyheavener]

Hey @ineffyble, just wanted to follow up here. I've released a minor version of op-js that uses semver 7.5.4, and additionally no longer bundles the code so deps can be patched. Thank you for reporting this!

[jodyheavener]

As a matter of housekeeping, before this ticket is closed we should explicitly update this dependency to >= 7.5.2: https://github.com/1Password/op-js/blob/main/package.json#L59

[jodyheavener]

Addressed in https://github.com/1Password/op-js/commit/452dfd552783e4778111b97d8e0bafdbebd99913