Unmaintained dependency (istanbuljs) & security vulnerabilities?

[tvongaza]

It seems like instanbuljs is not actively being maintained. There is at least one dependency to the instanbuljs project with a security vulnerability which has had a fix sitting open for over 2 weeks, and no releases since fall of last year. I worry that the project may no longer be maintained, leaving vitest with a dependency with an open security issue, thus our project (while just for development) with an open security issue.

Any advice on working around this security issue in the depedency?

[AriPerkkio]

Any advice on working around this security issue in the depedency?

You could use your package manager to override this dependency's version. E.g. overrides property in package.json.

Note that the istanbul-lib-instrument and istanbul-lib-report packages are only used by @vitest/coverage-* packages. The main vitest package does not depend on them.

My personal opinion is that these ReDoS vulnerabilities are mostly just noise in NPM ecosystem - especially in tooling related packages. In this case the practical issue you could run is that your coverage report generation could be slower if someone already had access on your machine/CI and exploited the vulnerability.

[AriPerkkio]

Istanbul packages have now released new versions. However we'll need to release new version of @vitest/coverage-istanbul: #3814