npm audit false positive for mattermost-webapp

[paragonie-security]

Summary

When first installing Mattermost, npm audit reports a critical issue for malware in a dependency, but appears to be a false positive.

Advisory link: GHSA-r5gc-r4qf-2vh7

Steps to reproduce

1. Start a fresh install (from a git clone) of mattermost.
2. cd webapp
3. npm install && npm audit

Since mattermost-webapp is a channel name, the package from NPM is never directly installed.

Expected behavior

Just a report with lots of Regex DoS like usual for npm audit.

Observed behavior (that appears unintentional)

The audit report contains this segment:

mattermost-webapp  *
Severity: critical
Malware in mattermost-webapp - https://github.com/advisories/GHSA-r5gc-r4qf-2vh7
No fix available
channels
node_modules/mattermost-webapp

Possible fixes

In the PHP ecosystem, we have the ability to make a package that conflicts with every vulnerable version, thereby preventing it from ever being installed. I don't see a similar mechanism in package.json.

It may be possible to use overrides to achieve a similar effect, but it's not immediately clear to us if that will work. (We are not Node.js experts.)