Please update configstore usage

[PeterJCLaw]

`cspell 6x transitively depends on semver 6.3.0, which has a reported regular expression denial-of-service vulnerability in versions prior to 7.5.3 (GHSA-c2qf-rxjj-qqgw). cspell's direct dependency on semver is already compatible with fixed versions, so the issue is just about the transitive dependency.

The transitive chain is as follows:

$ npm why semver
semver@6.3.0
node_modules/make-dir/node_modules/semver
  semver@"^6.0.0" from make-dir@3.1.0
  node_modules/make-dir
    make-dir@"^3.0.0" from configstore@5.0.1
    node_modules/configstore
      configstore@"^5.0.1" from cspell-lib@6.31.1
      node_modules/cspell-lib
        cspell-lib@"6.31.1" from cspell@6.31.1
        node_modules/cspell
          cspell@"^6.31.1" from the root project

semver@7.5.3
node_modules/semver
  semver@"^7.3.8" from cspell@6.31.1
  node_modules/cspell
    cspell@"^6.31.1" from the root project

In theory this could be easily fixed by updating confistore from 5.x to 6.x, however 6.x is ESM which I suspect means this is blocked on #4267.
confistore 6.x removes its dependence on make-dir in favour of the equivalent NodeJS builtin, though bumps its minimum supported NodeJS version to 12 (https://github.com/yeoman/configstore/releases). As cspell 6.x already depends on Node 14 however that aspect should not be an issue.

For others affected by this -- I'm currently working around this by applying a package override:

  "overrides": {
    "configstore": {
      "make-dir": "^4.0.0"
    }
  }

make-dir v4 bumps the minimum Node version required to 10 but otherwise seems to be compatible.

[iainelder]

Dependabot opened an alert in my repo because of the semver version. Your workaround closed the alert. Thanks for sharing!

I'll follow this so that when it is resolved I may remove the override.

[Jason3S]

@PeterJCLaw and @iainelder,

Please reach out to configstore to update their requirements for 5.x.

I'll release CSpell 7 soon. It has been updated to ESM and uses configstore 6. See

cspell/packages/cspell-lib/package.json

Line 69 in 2e65be0

"configstore": "^6.0.0",

Making the changes to CSpell 6 are too extensive to warrant the change.

[iainelder]

Please reach out to configstore to update their requirements for 5.x.

I'll leave that up to others in this issue. I'm not a Javascript developer, just a user of cspell.

[PeterJCLaw]

Please reach out to configstore to update their requirements for 5.x.

Hrm. configstore 5.x depends on Node v8, while make-dir 4.x depends on Node v10 (while make-dir 3.x did not), so configstore would need to relax their version restrictions on make-dir to allow both 3.x and 4.x. I guess it's worth asking.

[iainelder]

Hi, @Jason3S . Just checking in now that CSpell 7 is out.

Will #4718 resolve this issue?

[iainelder]

I just reread your comment. Is this already solved in CSpell 7?

I'll release CSpell 7 soon. It has been updated to ESM and uses configstore 6.

If so, I'll upgrade from CSpell 6.

[Jason3S]

@iainelder,

I forget to mark this as completed. CSpell 7 ships with configstore 6.

My plan is to move away from configstore (#4718) to conf. It is the same author, but with better support. Since the location of the config has changed, I need to come up with a transition plan.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.