Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support of new native methods. Fix vulnerabily #10

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add support of new native methods. Fix vulnerabily #10

wants to merge 3 commits into from

Conversation

andrushkin2
Copy link

Hey there!

The lib is a dependecy of the StoryBook project.
Current version of the lib has a vulnerabily so I fixed it and also added support of new native String methods:

  • .trimStart(str)
  • .trimEnd(start)

Feel free to ask questions

@Trott
Copy link

Trott commented Oct 9, 2022

Hi. The current version of the dependency does not have a vulnerability, but it is also not hosted in this repository. It's hosted at https://github.com/Trott/trim instead.

Unfortunately, I don't have access to close this issue or archive this repository or anything like that.

@Trott
Copy link

Trott commented Oct 9, 2022
edited

A StoryBook yarn.lock file is currently pointing to version 0.0.1 of trim. Update to at least version 0.0.2 (released almost two years ago) for the vulnerability fix (although there's probably no reason not to go 0.0.3, or for that matter 1.0.1, or for that matter to drop the dependency entirely and rely on String.prototype.trim).

@andrushkin2
Copy link
Author

Thanks for the quick feedback.
Looks like I chose wrong package( Then the vulnerability is in v0.0.3 of https://github.com/Trott/trim

@andrushkin2
Copy link
Author

@Trott is there a way to add a pacth for v0.0.3? I'll send a pull request if need it.
StoryBook and some other libs use v0.0.3 of the trim lib. I think the libs cannot be upgraded to the latest trim version because of breaking changes so the fastest way here is to make a patch (v0.0.4) and update package-lock to the new version.

@Trott
Copy link

Trott commented Oct 9, 2022

What makes you say it's using 0.0.3? https://github.com/storybookjs/storybook/blob/c745ff687e0dd445e0b9b4b908c1dfe75b3bfa3a/code/yarn.lock says 0.0.1.

"trim@npm:0.0.1":
  version: 0.0.1
  resolution: "trim@npm:0.0.1"
  checksum: d974971fc8b8629d13286f20ec6ccc48f480494ca9df358d452beb1fd7eea1b802be41cc7ee157be4abbdf1b3ca79cc6d04c34b14a7026037d437e8de9dacecb
  languageName: node
  linkType: hard

And 0.0.3 is not vulnerable to ReDoS while 0.0.1 is.

I don't know if GitHub permits pull requests against tags, but if you wanted to open a pull request against 0.0.3, I suppose you could try to open a request against https://github.com/Trott/trim/tree/v0.0.3. Not sure GitHub allows that though. If not, I could create a v0.x branch and then you could open it against that.

But I'm not convinced there's an issue to patch in 0.0.3....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@andrushkin2 @Trott