Medium severity vulnerability in chownr dependency

[ChrisBAshton]

Describe the bug
From Snyk:

✗ Medium severity vulnerability found in chownr
  Description: Time of Check Time of Use (TOCTOU)
  Info: https://snyk.io/vuln/npm:chownr:20180731
  Introduced through: speculate@1.7.4, compression-webpack-plugin@2.0.0, razzle@2.4.0, brotli-webpack-plugin@1.0.0
  From: speculate@1.7.4 > tar-fs@1.16.3 > chownr@1.1.1
  From: compression-webpack-plugin@2.0.0 > cacache@11.3.1 > chownr@1.1.1
  From: razzle@2.4.0 > uglifyjs-webpack-plugin@1.2.4 > cacache@10.0.4 > chownr@1.1.1
  and 8 more...

The vulnerability is introduced via several dependencies - not just Razzle - so may be difficult to sort out through dependency replacement/upgrades (though we should try that first).

If all else fails, we can try locking to a fixed version as we did in event-stream.

To Reproduce
Steps to reproduce the behavior:

1. npm install snyk
2. snyk auth (can't use Snyk otherwise)
3. snyk test
4. See output

Expected behavior
There should be no vulnerabilities.

• Initially labelled with "bug"

[dr3]

I have reported to snyk re isaacs/chownr#14 and they are going to look into it. It appears like this will either be removes as a vulnerability in snyk for 1.1.0 OR it will always be a vulnerability that fundamentally cant be fixed

I got this reply from Synk yesterday

Hi Drew
Thank you for reaching out to report the issue. 
We will look into it, and update the DB accordingly. CCing Benji to follow up on the findings.

Thanks again!
Danny

[ChrisBAshton]

Blocked pending outcome of Snyk discussion.

[ChrisBAshton]

I've emailed Snyk for an update.

[ChrisBAshton]

Response from Snyk:

"Thank you for your report! We've looked into the issue and decided to split it into two vulnerabilities, one medium severity that is fixed in 1.1.0, and another one with a low severity, unfixed as serves as an informational vulnerability."

Confirmed:

We should be able to resolve the Medium severity vulnerability by locking into 1.1.0 of chownr, and we should be able to mark the low severity vulnerability as 'safe' in the Snyk admin UI.

[bcmn]

We should be able to resolve the Medium severity vulnerability by locking into 1.1.0 of chownr, and we should be able to mark the low severity vulnerability as 'safe' in the Snyk admin UI.

As discussed in person, this doesn't seem to be available to us unless using Yarn.

[lirantal]

Thanks @ChrisBAshton and @dr3 for your report on this.

Snyk addressed the vulnerability report and maintainer's comments on the issue.
Upgrading to chownr version >= 1.1.1 should not report any vulnerabilities with chownr.

[bcmn]

Thanks very much for the update @lirantal -- I think we have a bit of a dependency chain, so we'll keep an eye on it & open issues in other repos as necessary.