Security Violations in sub-dependencies ; marked, parse-link-header, underscore. CVE-2022-21680, CVE-2021-23490, CVE-2021-23358

[realmbjorck]

Hi found Security Violations in api-console which prevent me to use this component in my project.

Security Violations
┌────────────────┬──────────┬───────────────────┬────────────┬───────────────────┬───────────┬──────────┬──────┬───────────────────┐
│ CVE            │ SEVERITY │ DIRECT            │ DIRECT     │ AFFECTED          │ AFFECTED  │ FIXED    │ TYPE │ WATCH NAME        │
│                │          │ DEPENDENCY        │ DEPENDENCY │ COMPONENT         │ COMPONENT │ VERSIONS │      │                   │
│                │          │                   │ VERSION    │ NAME              │ VERSION   │          │      │                   │
├────────────────┼──────────┼───────────────────┼────────────┼───────────────────┼───────────┼──────────┼──────┼───────────────────┤
│ CVE-2022-21680 │ High     │ marked            │ 0.7.0      │ marked            │ 0.7.0     │ [4.0.10] │ npm  │ watcher-any-build │
├────────────────┼──────────┼───────────────────┼────────────┼───────────────────┼───────────┼──────────┼──────┼───────────────────┤
│ CVE-2021-23490 │ High     │ parse-link-header │ 1.0.1      │ parse-link-header │ 1.0.1     │ [2.0.0]  │ npm  │ watcher-any-build │
├────────────────┼──────────┼───────────────────┼────────────┼───────────────────┼───────────┼──────────┼──────┼───────────────────┤
│ CVE-2021-23358 │ High     │ underscore        │ 1.6.0      │ underscore        │ 1.6.0     │ [1.12.1] │ npm  │ watcher-any-build │
└────────────────┴──────────┴───────────────────┴────────────┴───────────────────┴───────────┴──────────┴──────┴───────────────────┘

npm ls --all marked
marked@0.7.0

└─┬ api-console@6.6.57
  └─┬ @advanced-rest-client/arc-marked@1.1.2
    └── marked@0.7.0

npm ls --all parse-link-header
parse-link-header@1.0.1

└─┬ api-console@6.6.57
  └─┬ @api-components/api-summary@4.6.17
    └─┬ @api-components/api-model-generator@0.2.14
      └─┬ amf-client-js@4.7.8
        └─┬ amf-shacl-node@2.0.0
          └─┬ @comunica/actor-init-sparql-rdfjs@1.22.3
            └─┬ @comunica/actor-init-sparql@1.22.3
              ├─┬ @comunica/actor-http-memento@1.22.1
              │ └── parse-link-header@1.0.1
              └─┬ @comunica/actor-http-native@1.22.1
                └── parse-link-header@1.0.1

npm ls --all underscore
underscore@1.6.0

└─┬ api-console@6.6.57
  └─┬ @api-components/api-request@0.3.8
    └─┬ @api-components/api-body-editor@4.0.10
      └─┬ @advanced-rest-client/raw-payload-editor@3.0.7
        └─┬ @advanced-rest-client/code-mirror-linter@3.0.2
          └─┬ jsonlint@1.6.3
            └─┬ nomnom@1.8.1
              └── underscore@1.6.0

[realmbjorck]

All but "marked" was possible to fix through "overrides" in package.json
Suggested version of "marked" 4.0.10 caused breaking build was not compatible.

These are subdependencies to subdependencies so I guess it is tricky to work around