No fix available (is_js *)
leeliu48307 opened this issue · 2 comments
Build app by npm install, got a lot dependance warning. Using npm audit, got the following error
is_js*
Severity: High
is_js vulerability du to Regular Expression Denial of Service.
No fix available node_modules/is_js.
I searched google and got the same error message. 'No fix available'.
How to fix it, thanks.
Hi @leeliu48307,
The vulnerability you've encountered in the is_js package is due to a known issue with ReDoS (is_js GitHub Advisory), specifically in versions 0.9.0 and earlier. The is_js package does not have an available fix for this issue, and as such, we cannot patch this vulnerability within our project. The responsibility to fix this lies with the maintainers of is_js.
It's important to note that despite the vulnerability in the package, the application should still run as expected. Vulnerabilities like these typically pose a risk in scenarios where untrusted input is processed, leading to denial of service attacks. Running the application locally should not present a significant issue if proper security practices are followed and protected from untrusted inputs.
Understood, it makes sence. Will follow it, thanks.