Could you help remove the high severity vulnerability introduced by package qs？

[paimon0715]

Hi, @thornjad @zbynek, there is a high severity vulnerability introduced in your package http-server:

Issue Description

A vulnerability CVE-2017-1000048 detected in package qs(<6.0.4,>=6.1.0 <6.1.2,>=6.2.0 <6.2.3,>=6.3.0 <6.3.2) is transitively referenced by http-server@0.11.1. We noticed that such a vulnerability has been removed since http-server@0.12.0.

However, http-server's popular previous version http-server@0.11.1. (90,689 downloads per week) is still transitively referenced by a large amount of latest versions of active and popular downstream projects (about 247 downstream projects, e.g., quiz-react-sdk 17.14.0, quiz-presets 17.14.0, @instructure/ui-scripts 8.6.0, @instructure/quiz-number-input 17.14.0, @instructure/quiz-taking 17.14.0, @yuuvis/project@2.0.2, etc.).
As such, issue CVE-2017-1000048 can be propagated into these downstream projects and expose security threats to them.

These projects cannot easily upgrade http-server from version 0.11.1 to (>=0.12.0). For instance, http-server@0.11.1 is introduced into the above projects via the following package dependency paths:
(1)@yuuvis/project@2.0.2 ➔ @eo-sdk/proxy@1.0.5 ➔ http-server@0.11.1 ➔ union@0.4.6 ➔ qs@2.3.3
......

The projects such as @eo-sdk/proxy, which introduced http-server@0.11.1, are not maintained anymore. These unmaintained packages can neither upgrade http-server nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from package http-server@0.11.1?

Suggested Solution

Since these unactive projects set a version constaint 0.11.* for http-server on the above vulnerable dependency paths, if http-server removes the vulnerability from 0.11.1 and releases a new patched version http-server@0.11.2, such a vulnerability patch can be automatically propagated into the 247 affected downstream projects.

In http-server@0.11.2, you can kindly try to perform the following upgrade:
union ~0.4.3 ➔ ~0.5.0;
Note:
union@0.5.0(>=0.5.0) directly depends on qs@6.10.1 (a vulnerability CVE-2017-1000048 patched version)

Thank you for your help.

Best regards,
Paimon

[zbynek]

Hi,

Hi, @thornjad @zbynek, there is a high severity vulnerability

I'll leave this one to @thornjad since I'm just a contributor

90,689 downloads per week

Just out of curiosity, do you have any data on how many of those are direct downloads (0.11 stored in package-lock, bash script containing npx http-server@0.11 etc) and how many are through dependencies? The example https://www.npmjs.com/package/@eo-sdk/proxy has 27 downloads per week, instructure packages have over 1000, but some of them seem to be updated already.

Best regards,
Zbynek

[thornjad]

I can't guarantee that other projects can all upgrade to a 0.11.2 patch, but a backport is definitely something I'm willing to do. It shouldn't be a hassle, but those are famous last words.

[thornjad]

Fixed in d5b599f, to be published shortly as v0.11.2