Yarn audit - dependency vulnerability detected

Question

Yarn audit - dependency vulnerability detected

pkunze opened this issue 4 years ago · 1 comments

Hi all!

running yarn audit on a project using jquery-validation-unobtrusive results in

$ yarn audit --groups dependencies
yarn audit v1.22.17
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Regular Expression Denial of Service in jquery-validation    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery-validation                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.19.3                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ jquery-validation-unobtrusive                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ jquery-validation-unobtrusive > jquery-validation            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1005494                     │
└───────────────┴──────────────────────────────────────────────────────────────┘
1 vulnerabilities found - Packages audited: 10
Severity: 1 Moderate
Done in 1.34s.`

It seems that bumping up the depencency on jquery-validation in package.json would fix this.
I would glady go ahead and submit a PR for this if there is no reason not to do so.

Answer 1 · 2022-01-17T10:33:42.000Z

nevermind. it was me forgetting to upgrade the lockfile.