Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixes known vulnerability CVE-2017-18077 #869

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

ivoputzer
Copy link

@ivoputzer ivoputzer commented Mar 15, 2018

Known vulnerability found CVE-2017-18077 (Moderate severity)
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

update suggested:

brace-expansion ~> 1.1.7

currently a transitive dependency of:

@ivoputzer ivoputzer changed the title fixes known vulnerability CVE-2017-18077 Fixes known vulnerability CVE-2017-18077 Mar 15, 2018
Known vulnerability found
CVE-2017-18077
Moderate severity
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as de...

package-lock.json update suggested:
brace-expansion ~> 1.1.7
Always verify the validity and compatibility of suggestions with your codebase.

[email protected] ~> [email protected] ~> [email protected]
@ivoputzer
Copy link
Author

I'm totally aware of prior deprecation notice as of #809 though this might deserve some attention @gotwarlost @davglass

cheers.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 97.523% when pulling ccbb619 on ivoputzer:patch-1 into bc84c31 on gotwarlost:master.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants