normalize-url v3 is vulnerable
Closed this issue ยท 8 comments
andreainnocenti commented
https://snyk.io/vuln/SNYK-JS-NORMALIZEURL-1296539
Please upgrade normalize-url to version 6.0.1, 5.3.1, 4.5.1 or higher.
PatrykMilewski commented
Hey! Any chance to release a fix?
develth commented
Release of updatd normalize-url would be nice. Thanks!
IonicaBizau commented
I am on this. Sorry for the delay... I will release a major update since normalize-url doesn't seem to be compatible with Safari.
PatrykMilewski commented
But the vulnarability is fixed for "normalize-url": "4.5.1",
so can't it be just updated from 4.5.0 to 4.5.1?
PatrykMilewski commented
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ high โ Regular Expression Denial of Service โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ normalize-url โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=4.5.1 <5.0.0 || >=5.3.1 <6.0.0 || >=6.0.1 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ lerna โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ lerna > @lerna/version > @lerna/github-client > โ
โ โ git-url-parse > git-up > parse-url > normalize-url โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://www.npmjs.com/advisories/1755 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
develth commented
Is it possible to get a 5.0.7
with 4.5.1
, so the packages using this package will get the fixed version?
IonicaBizau commented
@develth Good idea! Just published 5.0.7
requiring normalize-url@4.5.1
. Thanks!
develth commented
Merci @IonicaBizau !