Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: chaijs/get-func-name vulnerable to ReDoS #1431

Merged
merged 1 commit into from
Sep 28, 2023
Merged

fix: chaijs/get-func-name vulnerable to ReDoS #1431

merged 1 commit into from
Sep 28, 2023

Conversation

strophy
Copy link
Collaborator

@strophy strophy commented Sep 28, 2023

Issue being fixed or feature implemented

CI was failing with a ReDOS attack CVE:

Run yarn npm audit --environment production --all --recursive
└─ get-func-name: 2.0.0
   ├─ ID: 109[4](https://github.com/dashpay/platform/actions/runs/6334502107/job/17204779231#step:4:5)183
   ├─ Issue: Chaijs/get-func-name vulnerable to ReDoS
   ├─ URL: https://github.com/advisories/GHSA-4q6p-r6v2-jvc[5](https://github.com/dashpay/platform/actions/runs/6334502107/job/17204779231#step:4:6)
   ├─ Severity: high
   ├─ Vulnerable Versions: <2.0.1
   ├─ Patched Versions: >=2.0.1
   ├─ Via: chai, chai-as-promised
   └─ Recommendation: Upgrade to version 2.0.1 or later
Error: Process completed with exit code 1.

What was done?

Update dependencies to "chai": "^4.3.9"

How Has This Been Tested?

Locally and in CI

Breaking Changes

None

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have made corresponding changes to the documentation

For repository code-owners and collaborators only

  • I have assigned this pull request to a milestone

@QuantumExplorer QuantumExplorer merged commit a9168e4 into v0.25-dev Sep 28, 2023
26 of 48 checks passed
@QuantumExplorer QuantumExplorer deleted the fix/get-func-name-cve branch September 28, 2023 05:43
@thephez thephez added this to the v0.25.0 milestone Oct 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@QuantumExplorer QuantumExplorer QuantumExplorer approved these changes

@shumkov shumkov Awaiting requested review from shumkov

@antouhou antouhou Awaiting requested review from antouhou

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v0.25.0
Development

Successfully merging this pull request may close these issues.
3 participants
@strophy @QuantumExplorer @thephez