CVE-2017-18214 - Update or replace file-stream-rotator dependency

Question

CVE-2017-18214 - Update or replace file-stream-rotator dependency

ddsharpe opened this issue 3 years ago · 2 comments

Update or replace file-stream-rotator dependency to a version that excludes the vulnerable code. CVE-2017-18214, The moment module before 2.19.3 for Node.js is prone to a regular expression denial of service via a crafted date string, a different vulnerability than CVE-2016-4055. The file-stream-rotator declares its dependency as "moment": "^2.11.2" making it possible for the vulnerable version to become part of the distribution.
The file-stream-rotator project appears to be abandoned.

Answer 1 · 2022-01-19T10:16:30.000Z

+1

There is a race condition in file-stream-rotator when creating log directories rogerc/file-stream-rotator#81, which throws an EEXISTS error. I don't think this pr will be merged because file-stream-rotator is not updated recent two years...

Answer 2 · 2022-01-27T14:59:58.000Z

It looks like this is fixed in #332; closing for now. Please comment/reopen if that doesn't cover it!