[BUG] CVE-2021-27290 due to using old version of `ssri` about cacache HOT 9 CLOSED

@wraithgar Thanks a ton for this fix. Is it possible to also update the ssri dependency in 12.x of this project? For Webpack 4 support.

from cacache.

@wraithgar Strapi also depends on [email protected]. Is it possible to port this fix for v12? Thanks.

from cacache.

Since terser-webpack-plugin for webpack v4 depends on 12.x it would be great if 12 could be patched

from cacache.

+1 for adding this patch into v12

from cacache.

@Zajn Thanks for opening that PR. I spun it up locally but am also getting failing tests.

In the terser-webpack-plugin repo, @WayneEllery made a great point here about Node-version compatibility. [email protected] removes support for Node versions below 8. The package.json of [email protected] doesn't have an engines field, so I assume it supports all Node versions. Thus, bumping to [email protected] for v12 of this project could constitute a breaking change.

Something else I'm wondering about: According to the vulnerability report, "this issue only affects consumers using the strict option." Does v12 of this project even use the strict option? I did a quick browse thru v12 of the code base, and this line is the only thing that jumps out at me.

Finally, I started an issue in the ssri repo asking about protocol for porting the security fix into v6 of that package.

from cacache.

FYI ssri v6.0.2 released.
npm/ssri#18 (comment)

from cacache.

this module has been updated and the next cli release will include this change

from cacache.

I attempted to backport the bump to v12 and opened a PR, but all the tests that passed for me locally failed in CI. I'm not intimately familiar with node development, so maybe someone more knowledgeable would be able to help me get that in a passing state.

from cacache.

Thus, bumping to [email protected] for v12 of this project could constitute a breaking change.

Does v12 of this project even use the strict option? I did a quick browse thru v12 of the code base, and this line is the only thing that jumps out at me.

@AndrewGibson27 Both good points. I don't know enough about the project to definitively say yes or no to the usage of strict, but it doesn't appear to me that any of the usages of ssri here do.

I've never done any Node development, so I may have run the tests improperly which gave me a passing result. Locally, I just installed dependencies via npm install and then ran npm test.

Finally, I started an issue in the ssri repo asking about protocol for porting the security fix into v6 of that package.

Thanks for doing that!

from cacache.