Context: The `@sitecore-jss/sitecore-jss` core package depends on `url-parse@^1.5.10` and `memory-cache@^0.2.0`. The `url-parse` package has a history of authorization bypass and SSRF vulnerabilities (CVE-2022-0686, CVE-2022-0639, CVE-2022-0512). While the current version range (^1.5.10) should resolve to a patched version (1.5.10+), this needs explicit verification. `memory-cache` was last published in 2020 and receives no maintenance — it should be evaluated for replacement or documented as a known risk.
Steps:
1. Run `yarn audit` from the monorepo root and capture output
2. For each critical/high finding, determine if the vulnerable version is actually resolved (check `yarn.lock`)
3. Verify `url-parse` resolves to >=1.5.8 (the version fixing CVE-2022-0686)
4. Evaluate `memory-cache` alternatives (e.g., `lru-cache`) — if replacement is too costly for maintenance mode, document as known technical debt with risk assessment
5. Fix any critical/high audit findings that can be resolved via version bumps
6. Document remaining unfixable findings in a SECURITY.md or issue
Acceptance criteria:
`yarn audit` output reviewed and triaged
No critical/high vulnerabilities in resolved dependency versions
`url-parse` confirmed at >=1.5.8
`memory-cache` risk documented (replacement or acceptance)
Risks: Replacing `memory-cache` could introduce regressions in caching behavior. For a maintenance-mode SDK, documenting the risk may be more appropriate than a full replacement.