Potentially unsafe regular expression (edit: THIS HAS BEEN FIXED. READ BELOW)
aj-foster opened this issue ยท 17 comments
Edit: A patch has been released. Ensure you are using version 1.0.2 (not 1.0.1) and you can continue on your merry way. :)
Using regex-not@1.0.1 as a subdependency of chokidar under node v8.9.4, I obtain the following error:
/srv/course/node_modules/regex-not/index.js:62
throw new Error('potentially unsafe regular expression: ' + res);
^
Error: potentially unsafe regular expression: ^(?:(?!(?:[\[!*+?$^"'.\\/]+)).)+
at Function.toRegex.create (/srv/course/node_modules/regex-not/index.js:62:11)
at createTextRegex (/srv/course/node_modules/nanomatch/lib/parsers.js:378:22)
at Object.<anonymous> (/srv/course/node_modules/nanomatch/lib/parsers.js:14:11)
at Module._compile (module.js:643:30)
at Object.Module._extensions..js (module.js:654:10)
at Module.load (module.js:556:32)
at tryModuleLoad (module.js:499:12)
at Function.Module._load (module.js:491:3)
at Module.require (module.js:587:17)
at require (internal/module.js:11:18)
Feel free to close if this is specific to the chokidar use case.
Also, I'm so sorry for posting an issue just 12 minutes after you published the version ๐
Same for me, pinned to 1.0.0 with yarn for now.
Same for me.
Same for me, affects gulp-cli. I actually just filed an issue over there.
This has broken gulp. Please release a new version that reverts this.
Same for me.
This breaks nodemon as well.
Really sorry, this was unintentional.
It should be fixed.
Initially, I had if (opts.safe === true...), which was a patch. Then I briefly considered bumping to a major with if (opts.safe !== false...) and mistakenly forgot to revert my code before pushing up.
This was human error, apologies.
I'll keep this open for a bit to make sure it's fixed for everyone. In regards to why I want to do this as a patch, I think it's important to ensure that implementors can prevent users from passing unsafe regular expressions.
This has been fixed
- delete
node_modules - reinstall everything
(You might also need to delete yarn.lock and/or package-lock.json to ensure that cached modules are not used.)
vue-cli is back up and running, thank you for the quick resolve!
Won't you need to tag a new release?
I did
1.0.2 fixes nodemon (latest, version 1.15.1)
Thanks for the quick fix ๐
This really highlights what tremendous social responsibility comes with having a library that many things are dependent upon. This poor guy will probably have everything from Twitter DM's to frantic phone calls for the next 72 hours.
๐ Thank you for the speedy fix.
Please lock this thread relatively soon to prevent it turning into a discussion board of unrelated topics and spamming everyone.
This poor guy will probably have everything from Twitter DM's to frantic phone calls for the next 72 hours.
Lol, I feel terrible that I broke everyone's code, but this comes with the territory. Worse, I was trying to implement something to make downstream dependents more secure, when generating regex from unknown sources.
the next 72 hours.
If it's only 72 hours, I'll be a happy camper lol.
I am deleting some of the "me too" comments that don't add any new information and were added AFTER the issue was already resolved. These comments are making it harder to find the important information in this issue.
Same for me, affects gulp-cli. I actually just filed an issue over there.
If you took the time to create issues on other impacted repositories, please also take the time to close those issues with information about the issue being resolved. Thanks!