Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update third-party dependency #1

Closed
CodeIter opened this issue Jul 21, 2019 · 0 comments
Closed

update third-party dependency #1

CodeIter opened this issue Jul 21, 2019 · 0 comments
Assignees
@CodeIter
Labels
bug Something isn't working

Comments

@CodeIter
Copy link
Owner

[email protected] package deep dependents on vulnerable version of [email protected] package.

from https://nodesecurity.io/advisories/786

Overview
Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Remediation
Upgrade to version 2.3.1 or higher.
Resources
GitHub Commit

yarn audit v1.13.0
low : Regular Expression Denial of Service
Package : braces
Patched in : >=2.3.1
Dependency of : express-reload
Path : express-reload > chokidar > anymatch > micromatch > braces
More info : https://nodesecurity.io/advisories/786
1 vulnerabilities found -
Severity: 1 Low
@CodeIter CodeIter added the bug Something isn't working label Jul 21, 2019
@CodeIter CodeIter self-assigned this Jul 21, 2019
CodeIter referenced this issue Jul 21, 2019
@kevinsimper
Initial working version
a3079f6
CodeIter added a commit that referenced this issue Sep 10, 2019
@CodeIter
update third-party dependency
78e2032 
fixes #1
fixes kevinsimper#2

Signed-off-by: Mohamed Amin Boubaker <[email protected]>
@CodeIter CodeIter changed the title Regular Expression Denial of Service vulnerability update third-party dependency Sep 10, 2019
@CodeIter CodeIter reopened this Sep 10, 2019
CodeIter added a commit that referenced this issue Sep 10, 2019
@CodeIter
update third-party dependency and project version
00dbe96 
fixes #1
fixes kevinsimper#2

Signed-off-by: Mohamed Amin Boubaker <[email protected]>
@CodeIter CodeIter reopened this Sep 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@CodeIter CodeIter

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@CodeIter