Package immer@5.3.6 Have security vulnerability

[appfrabric]

The latest version of spectral had dependency on @stoplight/json-ref-resolver@3.1.0 which depend on immer@5.3.6.
But immer 5.3.6 is vulnerable to Prototype Pollution.

see https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1061986

The vulnerability was resolved for immer@8.0.1.

spectral dependencies need to be upgraded

[P0lip]

I don't think this actually affects us, at least it doesn't appear so assuming the vulnerability is exposed only via those patching functions.
We don't utilize applyPatches in @stoplight/json-ref-resolver, and it seems like this is the only way to actually pollute the prototype chain, but I haven't verified the code paths.
Have you actually tried to exploit that vulnerability?

[appfrabric]

The vulnerability had beed fixed in immer@8.0.1, Hence, the best outcome for everybody would be for you to upgrade @stoplight/json-ref-resolver to use immer@8.0.1;

In fact, anyone using your library will inherit your version of immer, exposing himself to the vulnerability above.

Furthermore, your version of immer does not have immer@8.0.1 as a compatible version making it impossible for your library user's to force their code base immer version to the non vulnerable version.

Finally, application scan tool (A mandatory step before most Prod deploy) will keep flagging your library as vulnerable, blocking people from deploying code that uses @stoplight/json-ref-resolver or even @stoplight/spectral.

[toby-murray-snow-software]

In fact, anyone using your library will inherit your version of immer, exposing himself to the vulnerability above.

Seconding this - any vulnerabilities in any dependencies automatically raise questions and kick off a "process" for various meanings of the process at different companies/projects/users. As it stands, I imagine every consumer of this project who uses Dependabot in GitHub will receive a "high severity" alert.

Speaking only from my experience, for "high severity" issues the onus is on us (the consumer) to prove that it's safe to ignore, which is generally a pain in the ass. All that to say that while actually being vulnerable is certainly worse, looking vulnerable comes with its own headaches and is usually valuable to consumers to resolve. I say this as someone who has no real awareness about what this project does or what specifically we use it for, I've ended up here from a Dependabot security alert.

Do you know if there's anything blocking the dependency update (e.g. there's development work to be done) or if it's regular "update the package.json and run the tests"?

Edit: It looks like https://github.com/stoplightio/json-ref-resolver is deprecated, which complicates things as presumably the desired fix would be to move to json-schema-ref-parser?

[tsimbalar]

Thanks for the new release with addressed vulnerabilities ! 👍