CVE-2021-3803 via badge-up / svgo / css-select

[joshuanapoli]

Users of flow-coverage-report have Inefficient Regular Expression Complexity "vulnerability" CVE-2021-3803 via transitive dependency badge-up / svgo@1.3.2 / css-select / nth-check@1.0.2. Upgrading to latest svgo links a non-vulnerable version of nth-check.

One trouble is https://github.com/yahoo/badge-up/pull/21 isn't merging. We could pull it into your fork in https://github.com/rpl/badge-up/pull/1 and then upgrade the fork version here.

[AlonNavon]

Hey @joshuanapoli,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an nth-check 1.02-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at info@seal.security if you have any requests/questions.