nsp security error on 1.7.3
Closed this issue · 7 comments
Looking at master, it looks like all that needs to be done is cut a new version, but we're seeing this error in redfin/react-server#291
dougwade packages/react-server-cli ‹react-server-cli-nsp*› » nsp check
(+) 1 vulnerabilities found
┌───────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ │ Regular Expression Denial of Service │
├───────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Name │ negotiator │
├───────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Installed │ 0.5.3 │
├───────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 0.6.0 │
├───────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Patched │ >= 0.6.1 │
├───────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Path │ react-server-cli@0.3.2 > webpack-dev-server@1.14.1 > serve-index@1.7.3 > accepts@1.2.13 > negotiator@0.5.3 │
├───────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/106 │
└───────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
According to the advisory (https://nodesecurity.io/advisories/106) this module is not affected, because it does not perform language-based negotiations. We'll get an update eventually, but it's definitely not a priority if we are not affected more than just having a out of date dependency in our tree.
Closing the issue since our policy is to close issues that are fixed on master, which applies in this case. The additional note I have is above, that this module is not affected by the advisory.
I see that technically we can upgrade the accepts a bit more; re-opening until that is done.
I guess I can work on doing this tonight.
Thanks!
Hi @doug-wade, sorry it is taking a bit. AppVeyor just takes forever to test, so it takes a long time to get confirmation of the changes. That and I'm just trying to wrap up what is supposed to be the 1.8.0 release of this module (plus the good thing is that the issue, as outlined in the advisory, it not actually exploitable in this module, since it only affects a subset of the negotiator this module does not use). It's too bad tools like nsp cannot tell the difference :) Tools like nsp are basically built around the assumption of micro modules, where if you are using a module, then you're almost definitely using the vulnerable functionality, if the module only does one thing :D
Sorry for the delay, @doug-wade. Published as 1.8.0