`<=3.0.4` is vulnerable but we only have it as a subdependency of dev dependencies.
https://nvd.nist.gov/vuln/detail/CVE-2022-3517.
```
yarn why minimatch
yarn why v1.22.19
[1/4] Why do we have the module "minimatch"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "minimatch@3.0.4"
info Has been hoisted to "minimatch"
info Reasons this module exists
- Hoisted from "eslint#minimatch"
- Hoisted from "tslint#minimatch"
- Hoisted from "eslint#@eslint#eslintrc#minimatch"
- Hoisted from "eslint#@humanwhocodes#config-array#minimatch"
- Hoisted from "mocha#glob#minimatch"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "64KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 1
=> Found "mocha#minimatch@4.2.1"
info This module exists because "mocha" depends on it.
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "64KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 1
Done in 0.21s.
yarn upgrade --recursive "minimatch@>=3.0.5"
```
and afterwards:
```
yarn why minimatch ✔ 2m 11s 16.15.0
yarn why v1.22.19
[1/4] Why do we have the module "minimatch"...?
[2/4] Initialising dependency graph...
[3/4] Finding dependency...
[4/4] Calculating file sizes...
=> Found "minimatch@3.1.2"
info Has been hoisted to "minimatch"
info Reasons this module exists
- Hoisted from "eslint#minimatch"
- Hoisted from "tslint#minimatch"
- Hoisted from "glob#minimatch"
- Hoisted from "eslint#@eslint#eslintrc#minimatch"
- Hoisted from "eslint#@humanwhocodes#config-array#minimatch"
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "64KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 1
=> Found "mocha#minimatch@4.2.1"
info This module exists because "mocha" depends on it.
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "64KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 1
=> Found "mocha#glob#minimatch@3.1.2"
info This module exists because "mocha#glob" depends on it.
info Disk size without dependencies: "44KB"
info Disk size with unique dependencies: "64KB"
info Disk size with transitive dependencies: "124KB"
info Number of shared dependencies: 1
Done in 0.23s.
```
The combination of `resyncJoinedRooms`, `unprotectedWatchedListRooms`,
`explicitlyProtectedRoomIds`, `protectedJoinedRoomIds` was incomprehensible.
https://github.com/matrix-org/mjolnir/issues/370
Separating out the management of `explicitlyProtectedRoomIds`, then
making sure all policy lists have to be explicitly protected
(in either setting of `config.protectAllJoinedRooms`) will make
this code much much simpler.
We will later change the `status` command to explicitly show
which lists are watched and which are watched and protected.
### Auditing the lock file
```
npm install --package-lock-only
npm audit fix
rm yarn.lock
yarn import
```
```
npm audit
json-schema <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim
minimist <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/nanoid
node_modules/postcss/node_modules/nanoid
mocha 8.2.0 - 9.1.4
Depends on vulnerable versions of nanoid
node_modules/mocha
5 vulnerabilities (2 moderate, 3 critical)
To address all issues, run:
npm audit fix
```
### minimist
minimist@1.2.5
used by mocha, tslint and matrix-bot-sdk@0.5.19
via
```
MatrixClient::replyHtmlText
MatrixClient::replyHtmlNotice
MatrixClient::sendHtmlNotice
MatrixClient::sendHtmlTex
```
none of which we use.
### nanoid
As for nanoid this is used by mocha.
It's also used by postcss vis the bot sdk
```
├─┬ matrix-bot-sdk@0.5.19
│ └─┬ sanitize-html@2.7.1
│ └─┬ postcss@8.4.16
│ ├── nanoid@3.3.4
```
though unless i'm missing something nanoid@3.3.4 doesn't fit into the vulnerable versions `3.0.0 - 3.1.30`
### json-schema
As for json-schema, it is used by jsprim@1.4.2 within 'validateJsonObjectJS'.
fortunately we depend on jsprim via the http-signatures@1.2.0 package which only use jsprim for rfc1123.
(which request depends upon in the matrix-bot-sdk).
```
├─┬ matrix-bot-sdk@0.5.19
│ ├─┬ request@2.88.2
│ │ ├─┬ http-signature@1.2.0
│ │ │ ├─┬ jsprim@1.4.2
│ │ │ │ ├── json-schema@0.4.0
