Installation npm vunerability warnings - Braces / Windows 10 #2420
Comments
|
Hi Tim, could you please read and respond to my comments on your original issue before you make any more? You have clearly identified a third degree module which has outstanding security warnings, as I had mentioned in my original comment, we have no control over those modules. We will not be suppressing the security vulnerabilities. |
|
Please add these sub items to your original issue. They are the same issue and you have yet to respond to my original message. |
|
Oliver
Sorry for the crossed wires, I was making the suggestions without
consulting my mails and I thought it was best practice to separate issues
Tim
…On Fri, Aug 23, 2019 at 11:06 AM Oliver Foster ***@***.***> wrote:
Hi Tim, could you please read and respond to my comments on your original
issue before you make any more?
You have clearly identified a third degree module which has outstanding
security warnings, as I had mentioned in my original comment, we have no
control over those modules.
We will not be suppressing the security vulnerabilities.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2420?email_source=notifications&email_token=AJOIAL3OU2QDQUCBSX55YZTQF6SCTA5CNFSM4IO5IIHKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD47TTZI#issuecomment-524237285>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AJOIAL5ARQW55RSSLEVIWZTQF6SCTANCNFSM4IO5IIHA>
.
|
|
No worries 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behaviour
No npm vunerability warnings
Actual Behaviour
Run npm install [email protected] to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package braces
Dependency of migrate-mongoose
Path migrate-mongoose > babel-cli > chokidar > anymatch >
micromatch > braces
More info https://npmjs.com/advisories/786
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Steps to Reproduce
There appears to be two versions of the brace package in the Adapt installation
\node_modules\anymatch\node_modules\braces\package.json shows [email protected]
\node_modules\braces\package.json shows [email protected]
According to https://www.npmjs.com/advisories/786
Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Remediation
Upgrade to version 2.3.1 or higher.
So it appears that the older version of braces at \node_modules\anymatch\node_modules\braces is the source of the problem.
see also #2419
#1745
@LouiseMcMahon
Versions
The text was updated successfully, but these errors were encountered: