Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snyk ReDoS issue in ansi-regex nested dependency #390

Closed
Pradeep976 opened this issue Dec 21, 2022 · 4 comments
Closed

Snyk ReDoS issue in ansi-regex nested dependency #390

Pradeep976 opened this issue Dec 21, 2022 · 4 comments
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue

Comments

@Pradeep976
Copy link

Describe the bug
My Snyk Dashboard shows that this package has a high level security issue in one of the packages that is installed by the dependencies of this package,

The problem is with the package [email protected] which causes Regular Expression Denial of Service ( REDOS ), this issue in fixed in the package ansi-regex 3.0.1

Can you please make use of the latest packages in order to solve this issue
https://user-images.githubusercontent.com/61454285/191446241-eadee963-6206-424d-9b67-dfd4eb5e7a84.png

Expected Behavior
No issues in Snyk

Current Behavior
1 High issue reported in snyk

Reproduction Steps
When running our external Snyk pipeline this issue is reported in the Snyk dashboard

Possible Solution
No response

Additional Information/Context
No response

SDK version used
1.15.5

Environment details (OS name and version, etc.)
Mac OS Monterey 12.4
@bretambrose
Copy link
Contributor

Using the same response to both this and #391

Upgrading cmake-js to the lastest major version is essentially a large bump to our minimum node version (10 ->14). Cmake-js 7 will not run on less than node 14 and it's not a good experience to require a version of node (to build) beyond what the actual baseline is. We will look into what the proper procedure should be for updating our node baseline to 14, but under normal circumstances it's something that needs a decent amount of advance notice to users.

While "there's no vulnerability" is not something a downstream user should ever rely on, in this case, the inputs that are fed into the potentially vulnerable code are 100% under our control (the repo source) and so while the general vulnerability is real, there is not a cause for alarm with applications using the CRT at the present moment.

@bretambrose bretambrose mentioned this issue Dec 22, 2022
Closed
@thetumper
Copy link

Upgrading cmake-js to the lastest major version is essentially a large bump to our minimum node version (10 ->14).

Why not release a major version, with the security fix and bump of min node version?

@bretambrose
Copy link
Contributor

Having looked into this further, we have no near-term plans to do either a major version bump or a minimum node version bump. Either have the potential to significantly disrupt users.

Other options are potentially available (#421) but are also currently on hold.

@yasminetalby yasminetalby added p3 This is a minor priority issue feature-request A feature should be added or improved. labels Jun 26, 2023
@bretambrose
Copy link
Contributor

Cmake-js has been updated as of v1.19.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. p3 This is a minor priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bretambrose @thetumper @Pradeep976 @yasminetalby