Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade ansi-regex dependency to address CVE-2021-3807 #949

Closed
pzi opened this issue Mar 16, 2022 · 3 comments · Fixed by #986 or #997
Closed

Upgrade ansi-regex dependency to address CVE-2021-3807 #949

pzi opened this issue Mar 16, 2022 · 3 comments · Fixed by #986 or #997

Comments

@pzi
Copy link
Contributor

pzi commented Mar 16, 2022
edited
Loading

Description

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807
https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the sub-patterns [\#;?]* and (?:;[-a-zA-Z\d\/#&.:=?%@~_]).

Expected behavior

No security issues.

Steps To Reproduce

  1. npm install
  2. npm audit
  3. See warnings

Possible Fix

npm upgrade ansi-regex

Upgrade ansi-regex to version 6.0.1, 5.0.1 or higher.

Your Environment

  • JSS Version: 19.0.2
@ambrauer
Copy link
Contributor

@pzi Thanks for the heads up. We perform a security audit and address vulnerabilities typically once-per-release cycle. We'll make sure this one is addressed. In this case, it appears to be low risk since the affected module would only be used for development purposes.

@pzi
Copy link
Contributor Author

pzi commented Mar 17, 2022

Ok, thanks for responding promptly and offering to fix it in the next release cycle.

@addy-pathania addy-pathania added keep and removed keep labels Apr 20, 2022
This was linked to pull requests Apr 22, 2022
addressing some of the high-critical viulnerabilities #986
Merged
Security audit april 2022 - extra changes #997
Merged
@art-alexeyenko
Copy link
Contributor

@pzi Starting from JSS 20 sitecore-jss-manifest is merged into sitecore-dev-tools, and these deps you mentioned are addressed. Some extra deps were addressed in dev too.
Small note - there's one instance of the older ansi-regex version left in out-of-the-box JSS nextjs sample, through @graphql-codegen/cli.
It's a dev dependency and the way it is set up I don't any ways to exploit it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
4 participants
@ambrauer @pzi @art-alexeyenko @addy-pathania