Dependency @bahmutov/is-my-json-valid contains vulnerable sub-dependency - [email protected] - and is outdated

[akaustav]

Hi @bahmutov / maintainers,

Summary

The @bahmutov/is-my-json-valid dependency of this repository contains (at least) one vulnerable sub-dependency - [email protected]. See this advisory about CVE-2021-23807 in the GitHub Advisory Database for details about the vulnerability.

My research so far

1. This repository contains a dependency named @bahmutov/is-my-json-valid.

   schema-tools/package.json

   Line 34 in b0d1a36

   "@bahmutov/is-my-json-valid": "2.17.3",

2. The code for this dependency is hosted on this GitHub repository.

3. Upon closer inspection, I found that the GitHub repository at bahmutov/is-my-json-valid was forked from the GitHub repository at mafintosh/is-my-json-valid (that has been published to the npm registry at is-my-json-valid) around April, 2018.

4. As of today (Wednesday, March 23, 2022), the master branch of the forked repository bahmutov/is-my-json-valid is 2 commits ahead and 43 commits behind the master branch of it's base repository - mafintosh/is-my-json-valid. There is even an open Pull Request to merge the changes from these 2 commits into the base repository - fix: handle custom formats with null values mafintosh/is-my-json-valid#161.

5. Meanwhile, both mafintosh/is-my-json-valid and consequently bahmutov/is-my-json-valid employ another sub-dependency - jsonpointer.

   1. In bahmutov/is-my-json-valid - see line 10 of package.json.

   2. In mafintosh/is-my-json-valid - see line 19 of package.json.

6. A Moderate security vulnerability was found in [email protected]. The vulnerability has been documented at CVE-2021-23807 for details.

7. The maintainer(s) of the node-jsonpointer repository fixed this issue via fix-prototype-pollution janl/node-jsonpointer#51. And later published a new major version - [email protected].

8. After this, the maintainer(s) of mafintosh/is-my-json-valid upgraded to [email protected] via Upgrade jsonpointer to address security vulnerability mafintosh/is-my-json-valid#188.

9. However, the forked repository - bahmutov/is-my-json-valid - has not been kept up to date with these new commits.

10. Hence, every cypress repository employing any versions of the @cypress/schema-tools plugin until v4.7.9 inherit the same security vulnerability - CVE-2021-23807 - incoming from [email protected].

Please assist in fixing / patching this security vulnerability.
Or provide any suggestions about what users of this plugin should be doing in the interim.

NOTE: Technically, this issue belongs in https://github.com/bahmutov/is-my-json-valid repository. But that repository does NOT allow me to open an Issue (I don't see the "Issues" tab at the top). So, I am opening this issue here.