tap-spec
tap-spec copied to clipboard
High Severity Vulnerability - Regular Expression Denial of Service in trim
What
There are currently 3 high severity vulnerabilities in tap-spec 5.0.0
.
{
"auditReportVersion": 2,
"vulnerabilities": {
"tap-out": {
"name": "tap-out",
"severity": "high",
"via": [
"trim"
],
"effects": [
"tap-spec"
],
"range": "*",
"nodes": [
"node_modules/tap-out"
],
"fixAvailable": {
"name": "tap-spec",
"version": "2.2.2",
"isSemVerMajor": true
}
},
"tap-spec": {
"name": "tap-spec",
"severity": "high",
"via": [
"tap-out"
],
"effects": [],
"range": "2.1.2 || >=3.0.0",
"nodes": [
"node_modules/tap-spec"
],
"fixAvailable": {
"name": "tap-spec",
"version": "2.2.2",
"isSemVerMajor": true
}
},
"trim": {
"name": "trim",
"severity": "high",
"via": [
{
"source": 1700,
"name": "trim",
"dependency": "trim",
"title": "Regular Expression Denial of Service in trim",
"url": "https://npmjs.com/advisories/1700",
"severity": "high",
"range": "<0.0.3"
}
],
"effects": [
"tap-out"
],
"range": "<0.0.3",
"nodes": [
"node_modules/trim"
],
"fixAvailable": {
"name": "tap-spec",
"version": "2.2.2",
"isSemVerMajor": true
}
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 3,
"critical": 0,
"total": 3
},
"dependencies": {
"prod": 1,
"dev": 36,
"optional": 0,
"peer": 0,
"peerOptional": 0,
"total": 36
}
}
}
/cc
@scottcorgan - Do you have any thoughts?
Seems @scottcorgan checked out of open source around mid 2019. It looks like someone already forked and fixed the tests and vulnerabilities;
https://www.npmjs.com/package/@randomgoods/tap-spec
Also looks like a new in-development package has been created
https://www.npmjs.com/package/tap-spek
For those seeking a warning-free alternative to tap-spec
, tap-arc
(formerly tap-spek
) is a good drop-in replacement that is actively maintained.