Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency of vulnerable css-select is causing dependabot issues in other projects #85

Open
palminha opened this issue Mar 8, 2022 · 1 comment
Open

Dependency of vulnerable css-select is causing dependabot issues in other projects #85

palminha opened this issue Mar 8, 2022 · 1 comment

Comments

@palminha
Copy link

palminha commented Mar 8, 2022

causing problems in create-react-app (react-scripts)
facebook/create-react-app#12132

caused by a moderate vulnerability:

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  0.4.2 - 1.3.2
    Depends on vulnerable versions of css-select
    Depends on vulnerable versions of js-yaml
    node_modules/svgo
@marionebl
Copy link
Owner

Looking at the advisory this seems like security noise to me - you could attack yourself by crafting an inefficiently matched string as input to SVGO via svg-term-cli.

Pasting

while true do echo "."; done

seems like the simpler choice if you desire to do so though 🤷

That being said - if you care about this upgrade in particular I'm happy to review a PR.

This was referenced Mar 8, 2022
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marionebl @palminha