High security vulnerability in dependency hierarchy (impact? fix?)

[nicod-pc]

Hi, we have the problem, that yarn improved-yarn-audit shows us an vulnerability through using this package.

Vulnerability Found:

  Severity: HIGH    
  Modules: nuxt>@nuxt/telemetry>git-url-parse>git-up>parse-url>parse-path
  URL: https://github.com/advisories/GHSA-3j8f-xvm3-ffx4

I checked the version and we are using all the newest possible:

package	requirement	actual version
nuxt	2.x	2.15.8
@nuxt/telemetry	^1.3.3	1.3.6
git-url-parse	^11.4.4	11.6.0
git-up	^4.0.0	4.0.5
parse-url	^6.0.0	6.0.2
parse-path	^4.0.4	4.0.4

As every version is the newest available version matching the requirements, we can not solve this by updating. So now we have to understand the impact. What is @nuxt/telemetry using this library for? Parsing git URLs doesn't really make sense for a telemetry library. Isn't this just sending telemetry to a server? Why do you need to parse git URLs? And why is it so complicated to parse it, that it needs a depth of 4 libraries depending on each other?

I would be happy if you could give insights on why it is used and in the best case create a new version not using it anymore.

[codetheorist]

There are now updates to these dependencies, with parse-path being updated to 5.0.0 and all other dependencies in the hierarchy have now been updated.

Will push a fix soon.

[pi0]

Hi! The affected dependency is updated in latest @nuxt/telemetry version. You can update lockfile to get rid of this issue (BTW nothing to worry about. This issue was false positive and not affecting any usage in Nuxt since we only use it for build time and hash result)