Vulnerable is-email dependency in 4.1.11

[vinczemarton]

I have "@segment/analytics.js-core": "4.1.11", installed.

When running npm audit I get the following error:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Improper Input Validation in is-email                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ is-email                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @segment/analytics.js-core                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @segment/analytics.js-core > segmentio-facade > is-email     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-j377-2x76-558h            │
└───────────────┴──────────────────────────────────────────────────────────────┘

I understand that there is a fix for is-email, but since segmentio-facade depends on the exact version 0.1.0 I'm not sure if it is compatible.

Can you update the dependencies for segmentio-facade and @segment/analytics.js-core that they don't use is-email 0.1.0?

[mkysel]

I've run into the same issue. It seems that segmentio-facade has been renamed to @segment/facade. The newest release of that new name has removed the dependency on is-email.

This diff should fix the security vulnerability

diff --git a/package.json b/package.json
index f72842c..9068476 100644
--- a/package.json
+++ b/package.json
@@ -37,6 +37,7 @@
     "@ndhoule/pick": "^2.0.0",
     "@segment/canonical": "^1.0.0",
     "@segment/cookie": "^1.1.5",
+    "@segment/facade": "^3.4.0",
     "@segment/is-meta": "^1.0.0",
     "@segment/isodate": "^1.0.2",
     "@segment/isodate-traverse": "^1.0.1",
@@ -57,7 +58,6 @@
     "new-date": "^1.0.0",
     "next-tick": "^0.2.2",
     "package-json-versionify": "^1.0.4",
-    "segmentio-facade": "^3.2.7",
     "spark-md5": "^2.0.2",
     "uuid": "^3.4.0"
   },

but some changes to the actual codebase will be required.

[remotezygote]

^^^ PR opened with those changes.

[TonyRippy]

Hi all, any updates on this?