Dependency "decode-uri-component": "^0.2.0" contains vulnerability

[danisluk]

Unmaintained library decode-uri-component contains quite severe vulnerability.
GHSA-w573-4hg7-7wgq
Any chance, this could be fixed here possibly by replacing the lib?

[MasterJuan]

Also, npm audit fix proposes the below change:

Will install **query-string@4.3.4**, which is a breaking change
node_modules/decode-uri-component
  query-string  >=5.0.0
  Depends on vulnerable versions of decode-uri-component
  node_modules/query-string

So, actually proposes a downgrade of query-string version.

Instead of using decode-uri-component can you replace it with https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/decodeURIComponent

[redonkulus]

@sindresorhus what do you suggest to mitigate this vulnerability?

[ryanadhi]

seems like a fix is on the way on decode-uri-component SamVerschueren/decode-uri-component#6 (comment)

[MattTranGrainbridge]

Fix released for decode-uri-component: https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1

[taejs]

@viczhuravlev
@sindresorhus
@rawle51

Hi
query-string@5 is EOL?
I just wonder there's any plan to also apply this changes to v5, v6

I can create PR for this

[sindresorhus]

I just wonder there's any plan to also apply this changes to v5, v6

No plans, but it's a patch release, so you should get the latest one there anyways thanks to server.