Installation Blocked by Security Firewall due to lunr.js dependency

[Typhon0]

Hello,

I'm unable to install typedoc in an environment that uses a Sonatype Nexus firewall. The installation is blocked when it attempts to download lunr@2.3.9.

The firewall is flagging lunr for vulnerability sonatype-2021-1683, which is coming from an old mocha version vulnerable to ReDoS.

Here is what my investigation found:

• The vulnerability appears to originate from a mocha dependency within the lunr package.
• The mocha team has already addressed this issue, referenced in ReDoS mochajs/mocha#4766 and fix the regular expression for function clean in utils.js mochajs/mocha#4770.
• The lunr.js repository itself appears to be inactive. I have also opened an issue there to report this: Security vulnerability mocha package vulnerable to ReDoS olivernn/lunr.js#544.

I have not opened a pull request, as it seems a proper fix would involve a larger decision about the lunr.js dependency itself, given its status.

Thank you.

[Gerrit0]

I've seen some really dumb security scanners, but this report takes the cake...

Why on earth is Sonatype Nexus flagging a dev dependency of a dependency?! That will never be installed when installing TypeDoc or lunr unless you have a dependency on that version of mocha yourself. The only reason someone ought to care about that is if working on lunr...

[Typhon0]

Yep you're right I missed that it was a dev dependecy. I don't manage the Sonatype Nexus firewall so I don't know what are the possible configuration but I will contact them about that.

[Napster2709]

Hey.

But lunr is a normal dependancy of typedoc, or am i missing something?

@Gerrit0

[Gerrit0]

@Napster2709 yes, it is, but the vulnerability that's being complained about isn't in lunr, it is in the old mocha version which lunr has a dev dependency on.