Snyk security vulnerability for inflight (one of tsoa indirect dependencies)

[erlanggatjhie]

Sorting

• I'm submitting a ...

  • [ ] bug report
  • [ ] feature request
  • [x] support request

• I confirm that I

  • [x] used the search to make sure that a similar issue hasn't already been submit

Current Behavior

Snyk has identified a security vulnerability within the tsoa packages:

Inflight - Missing Release of Resource after Effective Lifetime

Introduced through: tsoa@4.1.3 › @tsoa/cli@4.1.3 › yamljs@0.3.0 › glob@7.2.3 › inflight@1.0.6
Fix: No remediation path available.

Introduced through: tsoa@5.1.1 › @tsoa/cli@5.1.1 › yamljs@0.3.0 › glob@7.2.3 › inflight@1.0.6
Fix: No remediation path available.

Introduced through: tsoa@6.0.0 › @tsoa/cli@6.0.1 › yamljs@0.3.0 › glob@7.2.3 › inflight@1.0.6
Fix: No remediation path available.

Possible Solution

The vulnerability comes from yamljs@0.3.0 which indirectly uses inflight. Unfortunately, both inflight and yamljs are not actively maintained. I am thinking if we can use js-yaml or yaml instead of yamljs to remediate the security issue.

Context (Environment)

Version of the library: 4.1.3, 5.1.1, 6.0.0 Version of NodeJS: 18

• Confirm you were using yarn not npm: [x]

[github-actions[bot]]

Hello there erlanggatjhie 👋

Thank you for opening your very first issue in this project.

We will try to get back to you as soon as we can.👀

[WoH]

Not relevant to how we use that package in the cli. But happy to review a PR if anyone is annoyed by the warning

[bill-titus]

But happy to review a PR if anyone is annoyed by the warning

Thanks WoH. Happy to hear the finding is not relevant to how we use that package. The finding actually causes lots of lost time dealing with corporate security teams and especially government customers that monitor each finding. Switching to a more maintained yaml library would be appreciated. Thanks for the fix @mamerruddin!