Replace zxcvbn with zxcvbn-ts

[fseydel]

The password-strength-meter in wp-admin uses the 12 year old package zxcvbn 4.4.1.

This package has a known vulnerability: ​https://security.snyk.io/package/npm/zxcvbn/4.4.1

Using this package failed a pentest on a customers WordPress website.

An idea would be to switch to zxcvbn-ts (​https://github.com/zxcvbn-ts/zxcvbn) which is up-to-date and has no known vulnerability.

Migration should easily be possible: ​https://zxcvbn-ts.github.io/zxcvbn/guide/migration/#zxcvbn-4-4-2-to-zxcvbn-ts-0-1-0

[fseydel]

Feedback from the Bavarian "Landesamt für Sicherheit in der Informationstechnik":
"The vulnerability only affects the availability of the website in the client's browser and does not pose a threat to the server side, provided the affected library is only used on the client side. However, this still constitutes a violation of the administrative regulation BayITSiR-14, section 3.4 d), since security patches (including those from third-party products) must be installed immediately."

[audrasjb]

Hello, thank you for reporting this, but didn't you notice the information about Security issues when you opened this ticket? While this is not an important one, please note that Security issues should be opened privately on Hackerone first.

[sabernhardt]

Related: #43749

[fseydel]

Replying to audrasjb:

Hello, thank you for reporting this, but didn't you notice the information about Security issues when you opened this ticket? While this is not an important one, please note that Security issues should be opened privately on Hackerone first.

Sorry, my fault. Won't happen again.