Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Possible ReDOS through React and other packages
See original GitHub issueI notice our synk-ci step has been failing for the past few merges. The error from the log says:
Testing /home/travis/build/mozilla/addons-frontend...
✗ Medium severity vulnerability found on ua-parser-js@0.7.17
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:ua-parser-js:20180227
- from: mozilla-addons-frontend@0.0.1 > react@16.4.2 > fbjs@0.8.16 > ua-parser-js@0.7.17
Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.17.
✗ Medium severity vulnerability found on ua-parser-js@0.7.17
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:ua-parser-js:20180227
- from: mozilla-addons-frontend@0.0.1 > react-dom@16.4.2 > fbjs@0.8.16 > ua-parser-js@0.7.17
Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.17.
✗ Medium severity vulnerability found on ua-parser-js@0.7.17
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:ua-parser-js:20180227
- from: mozilla-addons-frontend@0.0.1 > react@16.4.2 > prop-types@15.6.1 > fbjs@0.8.16 > ua-parser-js@0.7.17
Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.17.
✗ Medium severity vulnerability found on ua-parser-js@0.7.17
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:ua-parser-js:20180227
- from: mozilla-addons-frontend@0.0.1 > react-dom@16.4.2 > prop-types@15.6.1 > fbjs@0.8.16 > ua-parser-js@0.7.17
Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.17.
✗ Medium severity vulnerability found on ua-parser-js@0.7.17
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:ua-parser-js:20180227
- from: mozilla-addons-frontend@0.0.1 > react-redux@5.0.7 > prop-types@15.6.1 > fbjs@0.8.16 > ua-parser-js@0.7.17
Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.17.
✗ Medium severity vulnerability found on ua-parser-js@0.7.17
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:ua-parser-js:20180227
- from: mozilla-addons-frontend@0.0.1 > react-textarea-autosize@7.0.4 > prop-types@15.6.1 > fbjs@0.8.16 > ua-parser-js@0.7.17
Your dependencies are out of date, otherwise you would be using a newer ua-parser-js than ua-parser-js@0.7.17.
Organisation: add-ons-team
Package manager: yarn
Target file: package.json
Open source: yes
Local Snyk policy found
Tested 515 dependencies for known vulnerabilities, found 1 vulnerability, 6 vulnerable paths.
Run `snyk wizard` to address these issues.
but this is odd because our package.json file specifies version 0.7.18 of `ua-parser-js, which is the latest version.
If I run npm list ua-parser-js locally, I see:
mozilla-addons-frontend@0.0.1 /Users/bsilverberg/Documents/gitRepos/addons-frontend
├─┬ react@16.4.2
│ └─┬ fbjs@0.8.16
│ └── ua-parser-js@0.7.17
├─┬ react-super-responsive-table@4.3.1
│ └─┬ create-react-context@0.2.2
│ └─┬ fbjs@0.8.17
│ └── ua-parser-js@0.7.18 deduped
└── ua-parser-js@0.7.18
I’m not entirely sure how to interpret that, but I think it means I have 0.7.18 installed locally.
@kumar303 Do we think this is just a temporary blip in the snyk service as we’ve seen a couple of times in the past?
Issue Analytics
- State:
- Created 5 years ago
- Comments:7 (5 by maintainers)
Top Results From Across the Web
Regular Expression Denial of Service (ReDoS) in react- ...
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper usage of regular expression in ......
Read more >Regular expression Denial of Service - ReDoS
This algorithm tries one by one all the possible paths (if needed) until a match is found (or all the paths are tried...
Read more >how to fix Regular Expression Denial Of Services in react ...
I'm pretty sure what the output npm ls command is telling you is you have normalize-url@6.0.1 installed, but react-scripts is still relying ...
Read more >How to protect against regex denial-of-service (ReDoS) ...
Learn some tips to help you safeguard regular expressions against denial-of-service (DoS) attacks, known as ReDoS attacks.
Read more >Integrating with Other Libraries
React can be used in any web application. It can be embedded in other applications and, with a little care, other applications can...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thanks @gaearon, that worked beautifully.
By the way, you can use Yarn resolutions to force transitive dependencies to be of certain versions. But again, React is not affected by this so it would more of a formality.