Vulnerable version of node-notifier in dependency tree

[gjgd]

I got a security notice for node-notifier in my project that uses tsdx@0.14.0 (see screenshot below)

This is the output of npm ls node-notifier:

➜ npm ls node-notifier

└─┬ tsdx@0.14.1
  └─┬ jest@25.5.4
    └─┬ @jest/core@25.5.4
      └─┬ @jest/reporters@25.5.1
        └── node-notifier@6.0.0

Looks like updating the version of jest to 26.0.0 would fix this issue

Screenshot

[agilgur5]

Thanks for reporting this, I see the same issue here. I'm not sure if the vulnerable code path actually affects us though.

Looks like updating the version of jest to 26.0.0 would fix this issue

Unfortunately that is easier said than done given that it would require a breaking change.

The patch in node-notifier is quite small, so I would think that would be simple to backport to v6 as well.

Jest 26 was also vulnerable until a backport was made for v8.

[balazser]

Hi @agilgur5, thank you for commenting. Are you planning to upgrade in the near future? :thinking:

[karlhorky]

Hope that the outdated internal dependencies such as Jest can be either updated soon too! 🤞 Or maybe it would make more sense for them to be completely removed (and make users install their own dependencies 100% of the time), given the maintenance level here.

But for the meantime, a workaround that may help for some people is to force upgrade of the transitive dependency via Yarn Resolutions (add to package.json if you're using Yarn and run yarn):

  "resolutions": {
    "tsdx/**/node-notifier": "10.0.0"
  }

[zeusdeux]

@karlhorky @agilgur5 Any way us non-yarn users can sort this security alert out without having to add yet another dependency to add resolutions support to npm via a third party package?

[karlhorky]

Not at the moment - tsdx would need to upgrade and publish a release. If you don't want to use yarn or pnpm, eventually npm will have this feature (it will be called Overrides)

[zeusdeux]

Gotcha. Thanks @karlhorky! And appreciate the quick response! 🙏🏼