@stoplight/elements vulnerable to CVE-2020-7598

[AaronSterlingGENEICD]

Describe the bug

@stoplight/elements depends on json-schema-generator, which uses the legacy optimist package. optimist is vulnerable to CVE-2020-7598. Since optimist has not been updated for 8 years, teams are switching to other libraries. (Example) However, json-schema-generator has not been updated for 4 years, so is unlikely to move off optimist. Hence, my bug report to stoplight!

To Reproduce

Install @stoplight/elements 6 or later, and run npm audit --production.

Expected behavior

npm reports no production vulnerabilities.

Additional context

Angular 13 / @stoplight/elements

Screenshots
Output of npm audit --production:

minimist <0.2.1
Severity: moderate
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix --force
Will install @stoplight/elements@6.4.1, which is a breaking change
node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
json-schema-generator *
Depends on vulnerable versions of optimist
node_modules/json-schema-generator
@stoplight/http-spec 2.11.0 - 4.3.0
Depends on vulnerable versions of json-schema-generator
node_modules/@stoplight/http-spec
@stoplight/elements >=6.0.0-alpha.1
Depends on vulnerable versions of @stoplight/elements-core
Depends on vulnerable versions of @stoplight/http-spec
node_modules/@stoplight/elements

Environment (remove any that are not applicable):
Worth noting: npm audit fix --force does not fix the problem.

Would it be possible to move off json-schema-generator?

We are currently using Stoplight as: served by AWS Cloudfront for a low-impact developer documentation website, as an advanced proof of concept. It looks great -- thank you so much. But we've also made a note on the calendar to find a different solution if the prod vulnerabilities are not eventually remediated. We can only use Stoplight long-term if npm audit --production returns 0 vulnerabilities.

[philsturgeon]

@mnaumanali94 ping!

[mnaumanali94]

Hey team! Please add your planning poker estimate with ZenHub @mallachari @mmiask @mpodlasin @Nezteb @paulatulis @wmhilton @domagojk

[mpodlasin]

I will just add it appears that we are using json-schema-generator in literally one line of http-spec, so I guess swapping it for something shouldn't be too difficult.

[philsturgeon]

Probably a good idea to ditch that dependency anyway as it's not been updated for four years and is based on draft4.

Stoplight does have an old fork knocking around used by api-spec-converter (defunct and should be deleted) which could be updated if you wanted to make a quick change, but finding something else is probably an option.