halacious icon indicating copy to clipboard operation
halacious copied to clipboard

Published 20 hours ago verified publisher icon bleupen

Transitive dependency uglify.js is vulnerable is Regular Expression Injection

Open fermaem opened this issue 9 years ago • 4 comments

Halacious 3.4.0 (latest available version) depends on swig in version 1.4.2 (latest available version, but no longer maintained) which depends on uglify-js in version ~2.4.0

Versions of uglify < 2.6.0 are vulnerable to Regular Expression Denial of Service.

Below the result of nsp check

> nsp check
(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────┐
│               │ Regular Expression Denial of Service                  │
├───────────────┼───────────────────────────────────────────────────────┤
│ Name          │ uglify-js                                             │
├───────────────┼───────────────────────────────────────────────────────┤
│ Installed     │ 2.4.24                                                │
├───────────────┼───────────────────────────────────────────────────────┤
│ Vulnerable    │ <2.6.0                                                │
├───────────────┼───────────────────────────────────────────────────────┤
│ Patched       │ >=2.6.0                                               │
├───────────────┼───────────────────────────────────────────────────────┤
│ Path          │ swig > uglify-js                                      │
├───────────────┼───────────────────────────────────────────────────────┤
│ More Info     │ https://nodesecurity.io/advisories/48                 │
└───────────────┴───────────────────────────────────────────────────────┘

fermaem avatar Nov 26 '15 22:11 fermaem

@bleupen Hey! Have you devised any plan regarding this? Thanks in advance for your feedback!

fermaem avatar Nov 30 '15 00:11 fermaem

Hello, I plan to take a look in the morning once I'm back at my desk.

Sent from my iPhone

On Nov 29, 2015, at 7:06 PM, Em. [email protected] wrote:

@bleupen Hey! Have you devised any plan regarding this? Thanks in advance for your feedback!

— Reply to this email directly or view it on GitHub.

bleupen avatar Nov 30 '15 01:11 bleupen

That’s too bad about swig. Sounds like switching to nunjucks might be the way to go. What do you think?

On Nov 29, 2015, at 7:06 PM, Em. [email protected] wrote:

@bleupen https://github.com/bleupen Hey! Have you devised any plan regarding this? Thanks in advance for your feedback!

— Reply to this email directly or view it on GitHub https://github.com/bleupen/halacious/issues/79#issuecomment-160484440.

bleupen avatar Nov 30 '15 14:11 bleupen

Unfortunately, I do not know nunjucks.

/cc @yoshylord @sroccaserra-octo Thoughts?

fermaem avatar Nov 30 '15 16:11 fermaem