"Regular Expression Denial of Service" Vulnerability thrown despite package update
Orrison opened this issue ยท 5 comments
It seems this package is still throwing a "Regular Expression Denial of Service" Vulnerability despite updating to 2.3.1 or higher as stated in the advisory https://www.npmjs.com/advisories/786
I have reached out to the npm security team to see if this is an issue on their end but I think it is important to note since it is throwing errors in the most up-to-date version of npm
Yes. It is saying it has been patched in version 2.3.1 yet I'm still facing this issue with the latest version
It seems this package is still throwing
"throwing" an annoying message in the terminal, you mean?
Yes. It is saying it has been patched in version 2.3.1 yet I'm still facing this issue with the latest version
Please notify NPM, the problem seems to be on their end.
I'll leave this open until it's resolved.
The npm security team got back to me and said this is not something their team can resolve and to reach out to the npm support team. I sent them an email and I am now waiting for a reply back.
Will update here with what they say
@GaxZE that didn't even mention braces, that output isn't related to this repository.
Hey folks,
So this was definitely my bad, sorry for the run around @jonschlinkert
So the deal was that I was specifically requesting jest@23.6.0 in my package.json which down the tree had the outdated braces dependency.
I was able to use the package npm-remote-ls to check out my current version of jest and look down it's tree.
The key was to look at the first package listed in the audit error and check to see if you have that one updated in your package.json.
Sorry about that, I am new to node and npm