0.0.7 is Vulnerable #21
Comments
|
Link to the actual advisory: GHSA-whgm-jr23-g3j9 |
|
This package is not being maintained anymore(apparently), alternatively, you can use the fixed version: |
|
@mahdyar how in case of indirect dependencies? |
If you're using yarn, there is a Selective dependency resolutions which @CoryDanielson explained here: This doesn't seem to work with npm natively, however there is a package for it (I haven't tried it myself): |
You might also go to the repo for the dependency and see if they have an update pointing to the community version. I was able to fix by just updating webpack-hot-middleware. |
For indirect dependencies, to fix using |
|
Since this also is an issue with React-based applications where yarn is used: can you please document here how to handle the situation in case of yarn? Thank you very much! |
|
Hi @thediveo could you please try v0.0.9, just removed lodash from dev dependencies, and fixed the Regular Expression Denial of Service (ReDoS) in lodash |
Recently github scan shows that version 0.0.7 is Vulnerable.
This affects all versions of package ansi-html. If an attacker provides a malicious string, it will get stuck processing the input for an extremely long time.
Any plans to fix the Vulnerability?
The text was updated successfully, but these errors were encountered: