Vulnerability Found: Missing Release of Resource after Effective Lifetime (SNYK-JS-INFLIGHT-6095116)

[lacort]

Hello !!

It has been identified that bcrypt@5.1.1 introduces a missing release of resource after effective lifetime vulnerability via a transitive dependency. The vulnerability is linked to the package inflight@1.0.6, as reported in the Snyk vulnerability database: SNYK-JS-INFLIGHT-6095116.

Vulnerability Path:

• bcrypt@5.1.1
  • @mapbox/node-pre-gyp@1.0.11
    • rimraf@3.0.2
      • glob@7.2.0
        • inflight@1.0.6

Severity: Medium Severity

Recommended Actions:

Currently, no patch or upgrade is available to address this vulnerability. I recommend that the team investigate possible mitigations, whether by updating or removing the affected transitive dependencies, or by finding alternative solutions to reduce the security risk.

Thank you for your attention to this issue.

[madugba]

This has been a major challenge for me, I try writing an alternative patch for it seems not to still work. I know this is not yet been exploited but I think an urgent update is needed.
inflight Missing Release of Resource after Effective Lifetime
And to the best of my knowledge, inflight is out dated and is not being maintained.

[ross-prangnell]

The maintainers of @mapbox/node-pre-gyp have been working on a new version which removes this packages as well as addressing a number of other older packages.
Good news is they've just published a RC for 2.0.0.
The main breaking change appears to be dropping support for non LTS versions of node (so >=18)
I don't know enough about the bcrypt build to see if it would be any issue upgrading, but I've tried overriding it locally and it works fine for me.
Don't like idea of forcing the override though so once stable v2 available would be good to get it upgraded here.
I can help with a PR here if required, although may need discussion around the compatibility issue.
Also noticed there was attempt to migrate away from node-pre-gyp, to use prebuildify but that seems to have stalled