A high severity vulnerability introduced in @jupyterlab/buildutils

[ayaka-kms]

Hi, a vulnerability CVE-2021-27290 is introduced in npm-cli-login via:
● @jupyterlab/buildutils@3.1.6 ➔ npm-cli-login@0.1.1 ➔ npm-registry-client@8.6.0 ➔ ssri@5.3.0

However, npm-cli-login is a legacy package, which has not been maintained for about 3 years.
Is it possible to migrate npm-cli-login to other package or remove it to remediate this vulnerability?

I noticed several migration records in other js repo for npm-cli-login:

● in @cloudant/cloudant, version 4.1.0 ➔ 4.1.1, remove recompose via commit

Thanks.

[welcome]

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.

You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[krassowski]

Hi @ayaka-kms thank you for the nudge on this one. This dependency was only used for testing and not invoked in user-facing part ever so it should not be a problem given that the vulnerability in question is a ReDoS. Still, the package in question was indeed outdated and unnecessary dependency and it was just removed in #10828.

In future, if you discover a security vulnerability in JupyterLab, or are confident that a vulnerability in a dependency makes JupyterLab vulnerable (which fortunately was not the case here) you can follow the responsible disclosure guidelines and report it to the address shown in the JupyterLab security policy.