Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular expression denial-of-service (ReDoS)- Vulnerability trim-newlines #3123

Closed
aadi1999 opened this issue Jun 2, 2021 · 7 comments · Fixed by #3125
Closed

Regular expression denial-of-service (ReDoS)- Vulnerability trim-newlines #3123

aadi1999 opened this issue Jun 2, 2021 · 7 comments · Fixed by #3125

Comments

@aadi1999
Copy link

aadi1999 commented Jun 2, 2021
edited

The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

https://nvd.nist.gov/vuln/detail/CVE-2021-33623

Please update the meow package version as 10.0.0(latest)
@emiwidknowit
Copy link

Any updates?

@nschonni nschonni mentioned this issue Jun 8, 2021
Closed
@nschonni nschonni pinned this issue Jun 8, 2021
@nschonni nschonni mentioned this issue Jun 8, 2021
Closed
@nschonni nschonni linked a pull request Jun 9, 2021 that will close this issue
build(deps): ReDoS vulnerability from intermediate dependency #3125
Merged
@TannerS
Copy link

TannerS commented Jun 14, 2021

Glad a PR for this got created! hopefully it will be merged soon!

@scottbarrow
Copy link

Any updates on this, there's a CVE resolution depending on it
GHSA-7p7h-4mm5-852v

Thanks

@TannerS
Copy link

TannerS commented Jun 18, 2021

I am also curious on this. It appears a lot of people are waiting on this and curious to why the PR is not merged yet

@toms-place
Copy link

Can we also get a new release for ^4.14.X?
Node Sass Middleware requires it..
https://www.npmjs.com/package/node-sass-middleware

@xzyfer
Copy link
Contributor

xzyfer commented Jul 8, 2021

Looks like we can back port this to 4.x by updating to meow@7 without too much happy. I'll try to cut a release in the next 48hrs.

@cronon
Copy link

cronon commented Aug 3, 2021

Hi @xzyfer!
Did you have a chance to backport it to 4.x?

@nschonni nschonni unpinned this issue Sep 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build(deps): ReDoS vulnerability from intermediate dependency ykolbin/node-sass
7 participants
@xzyfer @toms-place @cronon @scottbarrow @TannerS @aadi1999 @emiwidknowit