Security Vulnerabilities: node-static in extension-monitor

[astangelo]

Description
The extension-monitor project imports the [email protected] which has two outstanding security vulnerabilities. The package is pulled in by way of [email protected], which is pulled in by [email protected], which is implemented in Dashboard. And while newer versions of minimist exist, node-static hasn't been updated in 4 years and optimist is deprecated. 😬

Security Vulnerabilities

1. Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95)
2. minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload

Expectations
Replacing node-static with another simple static file server. Those are fairly common on NPM, and you may already have a next-best choice. However, if you need help identifying one that doesn't have a current vulnerability against it, I'd be happy to help provide some suggestions.

Additional context

• This is not the same as ticket Change import of node-static in @hocuspocus/extension-monitor #487, though that also is asking for a change to the current version of node-static.
  • As that ticket points out, there's movement on the GitHub repo to fix existing issues, including this minimist issue, but it appears the repo owners are lax/non-responsive.

[mkriegeskorte]

@astangelo Thanks for your report! We’re looking into it ✌️

[janthurau]

hey @astangelo, thanks for the report! We're using it for the single purpose of serving the few dashboard files, do you have a recommendation on a simple, lightweight alternative to node-static?

[mkriegeskorte]

@astangelo I’ve swapped node-static for serve-handler in the PR above 🤞