Lerna uses alternate version of npm-registry-fetch which does not include recent security fix

[keving17]

Expected Behavior

Lerna uses dependency @evocateur/npm-registry-fetch which appears to be an unmaintained version of npm/npm-registry-fetch. Last month npm/npm-registry-fetch released an update that resolves a security vulnerability where logs stored user credentials. Logs should not include sensitive data: https://exchange.xforce.ibmcloud.com/vulnerabilities/184667

Current Behavior

Logs currently store user credentials since @evocateur/npm-registry-fetch has not been updated to pull in the security fix.
https://github.com/evocateur/npm-registry-fetch/blob/latest/check-response.js#L34

Possible Solution

Lerna can use the original npm/npm-registry-fetch or needs to get @evocateur/npm-registry-fetch to update with the security fix. Here is the PR that appears to have resolved issue for npm/npm-registry-fetch: npm/npm-registry-fetch#29

Steps to Reproduce (for bugs)

1. Check logs to see if user credentials appear

[github-actions]

Hi Folks 👋

You may or may not know that lerna is now under the stewardship of Nrwl (announcement here #3121), a company with a long history of not just producing valuable open-source software (OSS), but also backing others (at the time of writing, Nrwl has donated over $50,000 to OSS it hasn't created, see https://opencollective.com/nx for full details).

Quite simply, Nrwl ❤️ OSS, and is committed to making lerna the best it can be. We use it ourselves.

In order to take this awesome project forward from its current state, it is important that we focus our finite resources on what is most important to lerna users in 2022.

With that in mind, we have identified this issue as being potentially stale due to its age and/or lack of recent activity.

---

Next steps:

We want to give you some time to read through this comment and take action per one of the steps outlined below, so for the next 14 days we will not make any further updates to this issue.

@keving17 as the original author of this issue, we are looking to you to update us on the latest state of this as it relates to the latest version of lerna.

Please choose one of the steps below, depending on what type of issue this is:

• A) If this issue relates to a potential BUG in the latest version of lerna:

  • Please head over to https://github.com/lerna/repro, fork the repo and apply the changes necessary to reproduce the bug. Then open a PR to that https://github.com/lerna/repro repo and comment back to this thread with the PR number so that we can take a look into the problem and provide a fix.

• B) If this issue is a FEATURE request to be added to the latest version of lerna:

  • Simply comment back on this thread so that we know you still want us to consider the request for the latest version of lerna.

• C) If this issue is a QUESTION which is applicable to latest version of lerna:

  • Please convert the issue to be a Discussion instead: https://github.com/lerna/lerna/discussions

• D) If this issue is no longer applicable to the latest version of lerna:

  • Please close the issue.

---

If we do not hear from @keving17 on this thread within the next 14 days, we will automatically close this issue.

If you are another user impacted by this issue but it ends up being closed as part of this process, we still want to hear from you! Please simply head over to our new issue templates and fill out all the requested details on the template which applies to your situation:

https://github.com/lerna/lerna/issues/new/choose

Thank you all for being a part of this awesome community, we could not be more excited to help move things forward from here 🙏 🚀

[JamesHenry]

Hi @keving17, following on from the note above, looking at this issue specifically the relevant packages have all since been refactored/patched and there are no such audit warnings when using our latest v5 packages we released since we took over.

Many thanks again!