CVE-2021-3803 via badge-up / svgo / css-select

[joshuanapoli]

Users of flow-coverage-report have Inefficient Regular Expression Complexity "vulnerability" CVE-2021-3803 via transitive dependency badge-up / [email protected] / css-select / [email protected]. Upgrading to latest svgo links a non-vulnerable version of nth-check.

One trouble is https://github.com/yahoo/badge-up/pull/21 isn't merging. We could pull it into your fork in https://github.com/rpl/badge-up/pull/1 and then upgrade the fork version here.

[AlonNavon]

Hey @joshuanapoli,

We're part of a startup called Seal Security that mitigates software vulnerabilities in older open source versions by backporting/creating standalone security patches - enabling more straightforward remediation in cases like this. We created an nth-check 1.02-sp1 that's vulnerability-free. As with all of our patches, it's open-source and available for free.

If relevant, check out our GitHub repo if you wish to learn more, or start using our app.

Please feel free to reach us at [email protected] if you have any requests/questions.