decap-cms icon indicating copy to clipboard operation
decap-cms copied to clipboard
verified publisher icon decaporg

Regular Expression Denial of Service in trim

Open danwulff opened this issue 7 months ago • 1 comments

Describe the bug decap-cms-app has a transitive depenency on trim, which currently has a security vulnerability for the pinned version.

https://github.com/advisories/GHSA-w5p7-h5w8-2hfq

Image

To Reproduce

  1. In a new directory npm init -y && npm i decap-cms-app && npm audit

npm audit logs Image

Alternatively:

  1. Create a repo with decap-cms-app as a package.json dependency
  2. Enable dependabot security updates
  3. Witness dependabot security alert and inability to update

Logs from dependabot's attempt to update Image

Expected behavior decap-cms-app not to have security vulnerabilities via transitive dependencies

Applicable Versions:

  • Decap CMS version: 3.8.3

danwulff avatar Aug 02 '25 10:08 danwulff

@danwulff we have to update remark-parse, which is a very painful task :/

martinjagodic avatar Aug 04 '25 07:08 martinjagodic