New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unhealthy dependency - trim-off-newlines
#2822
Comments
These regular expression denial of service vulnerabilities are only vulnerabilities if you're passing external strings into the regular expressions. That's not the case with AVA. Maybe the test run a little slower, but I doubt that. A PR is in progress to implement this within AVA itself, see #2825. That'll be included in AVA 4. I recommend marking your project as not vulnerable to this CVE. |
I do realize this falls into the common category of issues not exploitable in dev tools. I'm unhappy about the lack of backport without close full release of 4.0. There seem to be a lot of open issues still marked for 4.0 milestone - a lot of work yet to be done. |
It's not just about being actually affected but also about the build workflow of projects that use @avajs might get blocked by security audit warnings. The workflow of some projects simply doesn't alloy known security warnings to present. In my experience normally the issues like this get handled relatively quickly upstream and only very rarely the manual exclusion/patching/effort is required. Unfortunately, so far it looks like the recent stable version of the project is abandoned.
The |
I've got a security warning on my projects. Turns out it's trim-off-newlines package and it only gets into my node_modules via ava dependencies.
If I understand the prevention strategy correctly, the regex
/^[\r\n]+|[\r\n]+$/g
is sufficient for the job and avoids the catastrophic backtracking.I write it here because I think it might be better to have an utility function locally rather than link a junk package.
I think this requires 3.15.1 patch update.
The text was updated successfully, but these errors were encountered: