yo icon indicating copy to clipboard operation
yo copied to clipboard
verified publisher icon yeoman

Vulnerability in dependency for Yo

Open smartguest opened this issue 2 years ago • 2 comments

Type of issue

BUG

In a scan for one of our repos, we found a security issue inside Yo where "http-cache-semantics" is vulnerable to Regular Expression D-O-S:

CVE-2022-25881

This is caused by a transitive dependency found in the current version of Yo :

"[email protected] requires [email protected] via a transitive dependency on [email protected]"

The version of "http-cache-semantics" that is secure is 4.1.1.

Updating to Yo 4.3.1. did not fix this issue.

My environment

  • OS version/details: Windows 10 64-bit
  • Node version: 16.8.1 (run node --version in your terminal)
  • npm version: 8.12.1 (run npm --version in your terminal)
  • Version of yo : 4.3.1 (run yo --version in your terminal)

smartguest avatar Feb 07 '23 23:02 smartguest

@smartguest Hi, did you manage to fix it ?

dsokur avatar Feb 13 '23 14:02 dsokur

I believe my changes in https://github.com/yeoman/yo/pull/794 fix this.

strmer15 avatar Nov 03 '23 21:11 strmer15