Use of `request` package in the dependency tree

[ckeshava]

This package makes use of request@2.88.2 in its dependency tree. The request package has not been maintained and also contains security vulnerabilities as desbribed here: GHSA-p8p7-x288-28g6. Since there is no minor/patch version with a fix, I cannot update the package-lock file for this dependency.

Can you comment on the feasibility of this attack vector (or) how can I proceed next?

[ckeshava]

On a similar note, the jest-enzyme package makes use of micromatch dependency. However, there is a Regular Expression DoS associated with micromatch: GHSA-952p-6rrq-rcjv. The secure version is micromatch@4.0.8. I cannot upgrade across major versions myself in my package-lock file.

I'm not sure if the said attack vector is exposed in jest-enzyme, it might not be exploitable. How can I proceed further?

[ljharb]

ReDOS in a testing tool is basically not ever a concern.

Similarly, request's vulnerabilities don't apply to a testing environment where all code is trusted.

[ckeshava]

Okay. Would it be correct to assume that any untrusted user input is not relevant to the jest-enzyme package? Since it's used in a test environment?

[ljharb]

Yes, that's my understanding.