Vulnerability in transitive dependency underscore.string

[nulltoken]

Using latest version

{
  "name": "test",
  "version": "1.0.0",
  "main": "index.js",
  "license": "MIT",
  "dependencies": {
    "swagger-ui": "^3.20.6"
  }
}

Audit reports

$ yarn audit
yarn audit v1.12.3
+------------------------------------------------------------------------------+
¦ moderate      ¦ Regular Expression Denial of Service                         ¦
+---------------+--------------------------------------------------------------¦
¦ Package       ¦ underscore.string                                            ¦
+---------------+--------------------------------------------------------------¦
¦ Patched in    ¦ >=3.3.5                                                      ¦
+---------------+--------------------------------------------------------------¦
¦ Dependency of ¦ swagger-ui                                                   ¦
+---------------+--------------------------------------------------------------¦
¦ Path          ¦ swagger-ui > remarkable > argparse > underscore.string       ¦
+---------------+--------------------------------------------------------------¦
¦ More info     ¦ https://nodesecurity.io/advisories/745                       ¦
+------------------------------------------------------------------------------+
1 vulnerabilities found - Packages audited: 319
Severity: 1 Moderate

[shockey]

@nulltoken, as always thanks for filing an issue!

I'm deprioritizing this based on upstream analysis (that I agree with) that this is not a realistic security concern:

Unless you are planning on attacking yourself by entering a 100k string in the terminal while running the CLI, this is not even remotely a vulnerability or security concern for remarkable.

This means that if you pass a long string (50k characters?), that might look like a date, to the remarkable cli, your experience might be degraded by about 2 seconds.

jonschlinkert/remarkable#312 (comment)

Further, for us: argparse is used in Remarkable's CLI, which is not used in Swagger UI at all. There's simply no way that this "vulnerability" could cause problems for us here.

[Racer159]

Just FYI, but upstream remarkable closed their issue related to this as of 10 days ago. Not too big of a deal (given the low risk of this vuln), but just wanted to make sure y'all were aware so that hopefully NPM audit can finally be happy again.

jonschlinkert/remarkable#310

[shockey]

Indeed @Racer159, this is resolved, we grabbed the new Remarkable version in #5509.

Closing!