High-severity Vulnerability in browserify-sign - redoc-cli Version 0.13.21

[manojselvin]

Issue: Bug Report

Description: When running npm audit on the redoc-cli version 0.13.21, a high-severity vulnerability is reported in the browserify-sign package (2.6.0 - 4.2.1). The issue is related to an upper-bound check vulnerability in dsaVerify, which could potentially lead to a signature forgery attack.

Expected Behavior: The expectation is to update the dependencies, particularly browserify-sign, to use the latest version to mitigate the reported security vulnerability.

Reproducible Steps:

1. Run npm audit on redoc-cli version 0.13.21.
2. Observe the reported vulnerability in browserify-sign (2.6.0 - 4.2.1).

Output of npm audit:

browserify-sign  2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/crypto-browserify/node_modules/browserify-sign

Screenshots:

[Orest-Yastremskyy]

Hi @manojselvin,

Thank you for reaching out.

I believe that you are using the outdated version of Redocly CLI (0.13.21, while the latest available is 1.8.1).

Thus, is there a chance you could install the latest available version of Redocly CLI by executing the following command and check, whether it resolves this matter?

npm i -g @redocly/cli@latest