Replace ua-parser-js or pin current version
See original GitHub issueIt seems ua-parser-js has been the source of several security issues:
- https://github.com/karma-runner/karma/issues/3562 (regex catastrophic backtracking)
- https://github.com/karma-runner/karma/issues/3583 (regex catastrophic backtracking)
- https://github.com/karma-runner/karma/issues/3680 (regex catastrophic backtracking)
- https://github.com/karma-runner/karma/issues/3713 (malware compromise)
The catastrophic backtracking issues of course aren’t much of a problem for Karma, but the recent malware compromise certainly is! Karma represents a large chunk of the library’s usage (according to NPM, Karma represents ~25% of ua-parser-js’s downloads), and since a version range import is being used, it means that Karma may have unwittingly been a big contributor to spreading the latest malware.
Yet the library is only used in a single location for a very minor purpose (constructing a “friendly” name for browsers to show in the logs; as far as I can tell, this is an undocumented internal function with no particular promises about its API): https://github.com/karma-runner/karma/blob/94cf15e8fa4420c8716998873b77f0c4f59b9e94/lib/helper.js#L9
Maybe it’s time to swap that function out for a home-grown simplified version? I think there are a few options:
- handle just the UAs for browsers with supported launchers, and the rest can use the fallback full version string
- don’t try to create friendly names for any browsers; just use the full version string for everything
- continue using ua-parser-js, but pin a specific version (
0.7.30
) instead of a range (^0.7.30
) to at least avoid any future compromises being auto-fetched (and perhaps worth doing a quick review of the current code for other issues, if going with this option) - any of the above, plus make the function configurable (so that users can provide their own full-user-agent -> nice-name function, which could of course use any version of ua-parser-js if the user wants it). If doing this, my preferred choice would be to have the default just pass through the raw UA, removing the need for the dependency and keeping the code simple.
Do the maintainers have any preferences here?
Issue Analytics
- State:
- Created 2 years ago
- Reactions:5
- Comments:5 (2 by maintainers)
Top GitHub Comments
sure; will take a look at it this weekend
Created a PR