`jest-resolve` transitively pulls in a moderate `npm audit` issue

[glasser]

An npm advisory in hosted-git-info was posted this morning. This leads npm audit to report moderate severity vulnerabilities in the current version of jest, 26.6.5 (and it can only suggest rolling back to jest@26.5.0, which does not actually help). Specifically, this comes from jest's use of read-pkg-up.

My guess is it's not super likely that this presents a serious security threat in the jest context, but it's nice to keep one's tree free of audit issues when feasible.

Reproduction:

glasser@dsg-mbp 0 10:55:47 /tmp $ mkdir jest-audit
glasser@dsg-mbp 0 10:55:48 /tmp $ cd jest-audit
glasser@dsg-mbp 0 10:55:50 /tmp/jest-audit $ npm i jest@26.6.3
npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 537 packages, and audited 537 packages in 12s

24 packages are looking for funding
  run `npm fund` for details

16 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
glasser@dsg-mbp 0 10:56:18 /tmp/jest-audit $ npm audit
# npm audit report

hosted-git-info  <3.0.8
Severity: moderate
Regular Expression Deinal of Service - https://npmjs.com/advisories/1677
fix available via `npm audit fix --force`
Will install jest@26.5.0, which is a breaking change
node_modules/hosted-git-info
  normalize-package-data  2.0.0 - 2.5.0
  Depends on vulnerable versions of hosted-git-info
  node_modules/normalize-package-data
    read-pkg  <=5.2.0
    Depends on vulnerable versions of normalize-package-data
    node_modules/read-pkg
      read-pkg-up  <=7.0.1
      Depends on vulnerable versions of read-pkg
      node_modules/read-pkg-up
        jest-resolve  25.4.0 - 26.4.0 || 26.5.2 - 26.6.2
        Depends on vulnerable versions of read-pkg-up
        node_modules/jest-resolve
          @jest/core  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/core
            jest  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of @jest/core
            node_modules/jest
          @jest/reporters  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/@jest/reporters
          jest-config  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-config
            jest-cli  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-config
            node_modules/jest-cli
          jest-runner  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runner
          jest-runtime  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-runtime
            @jest/test-sequencer  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/@jest/test-sequencer
            jest-jasmine2  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-runtime
            node_modules/jest-jasmine2
          jest-snapshot  25.4.0 - 25.5.1 || 26.5.2 - 26.6.2
          Depends on vulnerable versions of jest-resolve
          node_modules/jest-snapshot
            jest-resolve-dependencies  25.4.0 - 25.5.4 || 26.5.2 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

16 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[SimenB]

We have migrated from read-pkg-up to escalade in Jest 27, so this is not a problem on master (#10781) - you can install jest@next if you want. Not sure when a stable release is coming (I've made some broken half-promises before, so I won't do that again 🙂), but hopefully soon-ish

[jansepke]

@SimenB would it be an option to backport commit aec8573 to version 26 ? Would be better then using a beta version to fix a security finding. Or is soon-ish in the next 1-2 weeks? 😉

[SimenB]

No, we landed it in v26 first, but had to revert it as was a breaking change (due to bugs later fixed, but I'm hesitant to try again, and the overhead of making releases is not negligible, and false positives from tooling is not high on my list of priorities).

Or is soon-ish in the next 1-2 weeks?

I hope so! You can see the milestone. I think I'll push most of those for 28 just to get 27 out though, except for #11263, #10577 and #11167 (PRs for the latter ones welcome 👍). So 1-2 weeks? Possibly

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.