Outdated dependency security vulnerability

[invaderb]

Severity: moderate word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7 fix available via npm audit fix node_modules/word-wrap optionator 0.8.3 - 0.9.1 Depends on vulnerable versions of word-wrap node_modules/escodegen/node_modules/optionator

EScodegen has an outdated dependancy version "optionator": "^0.8.1"

please look into updating it to the latest 0.9.3

[ericcornelissen]

Note that at v2.0.0 this was still a regular dependency but on master (7a48a21) it's actually both a development dependency instead and at ^0.9.1. So, assuming master is stable, resolving this would be as easy as deploying the development head.

[wellwelwel]

This should be fixed automatically by: https://github.com/estools/escodegen/blob/7a48a218cff99cd38e38e54ac8f310196314702e/package.json#L51

Especially since it's a development dependency at master branch

But this repository isn't synchronized with npm package, where it's still as "optionator": "^0.8.1".

---

@estools, @Constellation and @michaelficarra, please can you check it?

[invaderb]

@ericcornelissen 0.9.1 still has the vulnerability in it, and 0.9.2 had some sort of hiccup and a newer version was published to npm talked about in this thread here on eslint https://github.com/eslint/eslint/issues/17317

[ericcornelissen]

@invaderb the fact that ^0.9.1 is used in package.json means v0.9.1 or a higher patch version can be installed by users of escodegen - in this case both v0.9.2 and v0.9.3, the latter of which resolves the vulnerable dependency. So, it would resolve the problem for any users of the latest version of escodegen, even if they still have to manually update the transitive dependency on their end.

The first comment on the issue you linked points this principle out as well.

[wellwelwel]

@invaderb the fact that ^0.9.1 is used in package.json means v0.9.1 or a higher patch version can be installed by users of escodegen - in this case both v0.9.2 and v0.9.3, the latter of which resolves the vulnerable dependency. So, it would resolve the problem for any users of the latest version of escodegen, even if they still have to manually update the transitive dependency on their end.

The first comment on the issue you linked points this principle out as well.

@ericcornelissen, it would be great if this repository was synced with npm.

[michaelficarra]

Published version 2.1.0.