(HIGH) - semver-regex Regular Expression Denial of Service (ReDOS)

[pjhill]

Description

https://github.com/department-of-veterans-affairs/vets-website/security/dependabot/8

Acceptance Criteria

• [ ] The denial of service issue with semver-regex has been resolved and dependabot is no longer flagging it

[pjhill]

The next available version of yo requires node v18 or greater. This is a bit of a sticky wicket.

[pjhill]

I had the idea to explicitly update semver-regex to the latest; however, that is not going to resolve the issue since walking backward through the dependencies reveals the following --

yo 4.3.1 --> yeoman-doctor ^5.0.0 --> bin-version-check ^4.0.0 --> bin-version ^3.0.0 --> find-versions ^3.0.0 --> semver-regex ^2.0.0

[pjhill]

Per a discussion with Curt, this was already on his radar. Curt's assessment is that the only way forward with this is to --

1. Either refactor yeoman out of the codebase
2. Fork latest yeoman and make it work with node 14

[pjhill]

Given this roadblock, we should probably upgrade the estimate from this from a 2 to something more like an 8.

[JoeTice]

For the moment, I'm adding the 'Blocked' label, and we can determine what we do next - which will either be exploring what Curt suggested, OR waiting for the roadblock to be cleared.