Security issue

[lodow]

While checking security of my project I found a vulnerability in this package.

[Nsp] (+) 1 vulnerabilities found
[Nsp] │Regular Expression Denial of Service
[Nsp] │ Name │ tough-cookie │
[Nsp] │ CVSS │ 7.5 (High) │
[Nsp] │ Installed │ 2.3.2 │
[Nsp] │ Vulnerable │ All │
[Nsp] │ Patched │ None │
[Nsp] │ Path │ [email protected] > [email protected] > request@… │
[Nsp] │ More Info │ https://nodesecurity.io/advisories/525 │

[recrsn]

bcrypt itself has no runtime dependencies. node-pre-gyp is used to install compiled binaries from `Github during install. The correct place to open this issue would be with node-pre-gyp or request module.

The ReDoS vulnerebility cannot be triggered on bcrypt while running.

However if you are paranoid, you can use npm install --build-from-source to compile all binaries. This does not use the code-path involving the tough-cookie module.

[thom-nic]

@agathver Indeed, however the problem is although node-pre-gyp is not really a runtime dependency, it is listed as one because it's needed at install time. I blame npm (joking) but since we can't fix that... node-pre-gyp currently has an open issue for this on their end: mapbox/node-pre-gyp#322.

A lot of nsp users are going to run into this for dependencies that rely on node-pre-gyp unfortunately. Since bcrypt depends on an exact node-pre-gyp version it would be good if you can update your dependency once they release a new version.