Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Vulnerability in `url-regex` indirect dependency
See original GitHub issue┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ url-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fomantic-ui │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fomantic-ui > gulp-concat-css > rework-import > url-regex │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
All these dependencies look pretty unmaintained to me so I think the best course of action would be to look for alternatives to gulp-concat-css.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:9
- Comments:10 (2 by maintainers)
Top Results From Across the Web
url-regex-safe vulnerabilities - Snyk
version published direct vulnerabilities
3.0.0 3 Jan, 2022 0. C. 0. H. 0. M. 0. L
2.1.0 11 Nov, 2021 0. C. 0. H. 0....
Read more >Fixing security vulnerabilities in npm dependencies in less ...
To fix any dependency, you need to first know which npm package depends on that. This will tell you the packages which are...
Read more >Common vulnerabilities in Java and how to fix them - ShiftLeft
Many insecure deserialization vulnerabilities are introduced via dependencies, so make sure that your third-party code is secure.
Read more >CVE-2021-23368 nodejs-postcss: Regular expression denial ...
When parsing a supplied CSS string, if it contains an unexpected value then as the supplied CSS grows in length it will take...
Read more >How to update npm nested (vulnerable) dependency?
You're correct - as the vulnerable package lies within one of your dependencies, like so: Your Package -> Dependency -> Vulnerable package.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
There’s a branch that can be used that uses the URL regex safe dependency. I can create a PR using it if you want me to.
https://github.com/Cj-bc/gulp-concat-css/tree/use_url-regex-safe_rework-import
One question: do you have an estimated date for the attencion of this issue?