a vulnerability CVE-2021-23413 is introduced in authenticator-browser-extension

[ayaka-kms]

Hi, @jan-molak, a vulnerability CVE-2021-23413 is introduced in authenticator-browser-extension via:
● authenticator-browser-extension@1.4.9 ➔ node-zip@1.1.1 ➔ jszip@2.5.0

node-zip is a legacy package. It has not been maintained for about 6 years, and is not likely to be updated.
Is it possible to migrate node-zip to other package to remediate this vulnerability?

I noticed several migration records for node-zip in other js repos, such as

1. in serverless, version 1.0.0-beta.1 ➔ 1.0.0-beta.2, migrate node-zip to jszip via commit
2. in xlsx-template, version 0.0.7 ➔ 0.1.0, migrate node-zip to jszip via commit
3. in node-lambda, version 0.11.4 ➔ 0.11.5, remove node-zip via commit

Are there any efforts planned that would remediate this vulnerability or migrate node-zip?

Thanks
; )

[jan-molak]

Hi @ayaka-kms and thanks for letting me know!
It looks like you've already researched this subject, would you like to raise a pull request?

[jan-molak]

Unfortunately, it looks like node-zip can't be used instead of jszip as it can't generate zips in sync mode (see Stuk/jszip#281). Sync mode is required to generate extensions for Chrome in base64 string format.

There's a fork of jszip called jszip-sync, but it seems to have been abandoned 2 years ago.

I might give adm-zip a try, unless there are better alternatives you're aware of, @ayaka-kms?