@progress/kendo-licensing semver security vulnerability

[tplante]

• Bug report

Current behavior

Latest version of @progress/kendo-licensing (1.3.0) has a dependency on [email protected], which exposes a security vulnerability. This is fixed in [email protected].

Expected behavior

@progress/kendo-licensing has up-to-date, secure dependencies.

Minimal reproduction of the problem with instructions

This vulnerability was reported by snyk.io. To reproduce:

1. Install @progress/kendo-licensing in your project
2. Configure Snyk
3. See semver ReDoS vulnerability

What is the motivation or use case for changing the behavior?

Securing applications that depend on @progress/kendo-licensing

Environment

Package versions:

1.3.0

Browser:
N/A

System:
N/A

Snyk report:

[tsvetomir]

This looks like a false positive, but might be due to a stale package-lock.json file. Try updating the dependencies in your project using npm update.

In more detail, @progress/kendo-licensing depends on jsonwebtoken 9.0.0 which loosely specifies "semver": "^7.3.8". NPM should pick up the latest version during an update.

[tplante]

@tsvetomir I regularly upgrade dependencies, but because of the indirect relationship to semver I don't have control over its version. Yarn only lists dependency versions one layer deep--here's how my yarn.lock looks:

"@progress/kendo-licensing@^1.3.0":
  version "1.3.0"
  resolved "https://registry.yarnpkg.com/@progress/kendo-licensing/-/kendo-licensing-1.3.0.tgz#92cb1033c56e5b86ef0c5d81ea83e887b4557614"
  integrity sha512-Bp5MUX6wVHVUW8ZJUNcFVw9/KwRvP/a9zg2gAwRhpHVlwrSPbIpCMoBRRk32CEzC1tpUsIuQywT95+97HXZDTg==
  dependencies:
    jsonwebtoken "^9.0.0"

Is it possible to resolve this without action from jsonwebtoken?

[tsvetomir]

It should be possible to override indirect dependency versions through the resolutions section:

"resolutions": {
  "semver": "^7.5.2"
}

[tsvetomir]

Also reported in auth0/node-jsonwebtoken#921 and auth0/node-jsonwebtoken#905