npm audit fix prompts me to downgrade to Concurrently@3

[adamnovak]

Someone discovered today that hosted-git-info, used by normalize-package-data, used by read-pkg, used by concurrently, had a polynomial-time regex implementation. This constitutes a medium-severity security vulnerability (I guess if you feed it an untrusted regex?), and hence the tooling has decided it wants to downgrade me to a version of Concurrently from before it depended on any of the affected modules.

Can the Concurrently team go bother people further down the dependency chain to update? Or else somehow inform npm audit that this vulnerability does not actually exist in the context of concurrently because no untrusted regexes are involved?

[gustavohenke]

Hi @adamnovak!
Looks like read-pkg@6 fixes the problem, but that's a major upgrade which involves concurrently no longer supporting Node 10. I'll see what can be done.

[Tasteful]

@gustavohenke If I found where the read-pkg was used it looks like it is in one place https://github.com/kimmobrunfeldt/concurrently/blob/70b92daadd262c855e1e2928d13007a2b7009661/src/command-parser/expand-npm-wildcard.js#L20 where the packages.json is parsed and find all the scripts. I haven't read the package.json specification but would it be possible to read the packages.json with a simpler json-parser instead to drop the dependency?

[gustavohenke]

Possibly, but I'd like to check why it was introduced in the first place.

But to be fair, Node 10 reached EOL -- it's no longer in maintenance mode according to https://nodejs.org/en/about/releases/.
So concurrently should probably follow suit, and upgrade its dependencies.

[gustavohenke]

Hey all.
Fix is in v6.2.2. Still supporting Node 10.