Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
High severity vulnerability - Regular Expression Denial of Service
See original GitHub issueDescribe the bug npm i got unfixable issue https://www.npmjs.com/advisories/1753
Current behavior A clear and concise description of the behavior.
Expected behavior A clear and concise description of what you expected to happen.
Environment
standard-versionversion(s): 9.3.0- Node/npm version: [e.g. Node 10/npm 6]
- OS: [e.g. OSX 10.13.4, Windows 10]
Possible Solution as https://www.npmjs.com/advisories/1753 suggest, Upgrade to versions 3.0.1 or 4.0.1 or later
Additional context Add any other context about the problem here. Or a screenshot if applicable
Issue Analytics
- State:
- Created 2 years ago
- Reactions:24
- Comments:13 (1 by maintainers)
Top Results From Across the Web
Regular Expression Denial of Service (ReDoS) [High ... - GitHub
SNYK is reporting a high severity vulnerability in Mocha version > 9.2.1. It is still present in Mocha 10.0.0.
Read more >Regular expression Denial of Service - ReDoS
The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may ......
Read more >Regular Expression Denial of Service (ReDoS) in ansi-regex
Learn about Regular Expression Denial of Service (ReDoS) vulnerabilities in an interactive lesson.
Read more >Vue app will not build - npm audit report says Severity: high ...
Vue app will not build - npm audit report says Severity: high / Regular expression denial of service in glob-parent · Ask Question....
Read more >How to protect against regex denial-of-service (ReDoS) attacks
So as you can see, an attacker can exploit a seemingly simple regex pattern to cause our system to use more resources than...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Have literally hundreds of projects, both personal and commercial, where I use standard-version, giving me this high severity vulnerability including on Github.
The vulnerability comes from
trim-newlines, which is a dependency ofmeow, which is a dependency ofstandard-version.The latest versions of package
meowhave already updated the vulnerable packagetrim-newlines.Now all that’s missing is that
standard-versionupdates the version ofmeowit depends on.Is there an ETA on this?
This appears to have been resolved as of https://github.com/conventional-changelog/get-pkg-repo/pull/62#issuecomment-892320204 and is stuck on a new package publish.
@stevemao, besides @hutson (who says they don’t have publish access) you are the only other person on the package. Are you able to assist?