5 security issues in the dependencies of @confluentinc/schemaregistry (high vulnerability)

[LIlianHub]

Environment Information

• OS [e.g. Mac, Arch, Windows 10]: Ubuntu 22.04.5 LTS, node22-bookworm-slim
• Node Version [e.g. 8.2.1]: v22.20.0
• NPM Version [e.g. 5.4.2]: 10.9.3
• C++ Toolchain [e.g. Visual Studio, llvm, g++]: /
• confluent-kafka-javascript version [e.g. 2.3.3]: latest (1.8.0)

Steps to Reproduce

5 security issues in the dependencies of @confluentinc/schemaregistry (high vulnerability).

Install the latest version of @confluentinc/schemaregistry via your package.json

{
    "dependencies": {
        "@confluentinc/schemaregistry": "^1.8.0"
    }
}

Install the package dependent on @confluentinc/schemaregistry with npm install and then run npm audit to get this output:

# npm audit report

qs  <6.14.1
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
No fix available
node_modules/qs
  postman-request  *
  Depends on vulnerable versions of qs
  node_modules/postman-request
    node-vault  0.9.22-canary.0 || >=0.9.23-canary.1
    Depends on vulnerable versions of postman-request
    node_modules/node-vault
      @confluentinc/schemaregistry  *
      Depends on vulnerable versions of node-vault
      node_modules/@confluentinc/schemaregistry
        node-red-contrib-michelin-kafkajs  >=1.0.9
        Depends on vulnerable versions of @confluentinc/schemaregistry
        node_modules/node-red-contrib-michelin-kafkajs

5 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

confluent-kafka-javascript Configuration Settings

/

Additional context

/

[ktryniszewski-mdsol]

would be nice if this was addressed in new release