-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security updates in deps #32
Comments
Thanks for your report, these will be upgraded or removed in the coming 3.0 release. Regarding the specifics of the report though: ascii art only uses d3-color in the d3 mode and uses a specific set of descriptions for color (RGB, hex or named values), so any vulnerability would come from generating unsanitized inputs in code (on a server). AKA allowing a user to upload source code and then processing that, since all non ANSI color handling is programmatic, which is, itself, highly questionable. I recommend not trying that in the first place, but will be updating to a version not vulnerable to ReDOS.
Thanks again for the report, I'll leave it open until 3.0 drops. |
[email protected]
has a couple of dependency updates, that should be updated due to a high risk, due to the version ofd3-color
andcli
for this package. This is the result of running an audit on the package.The text was updated successfully, but these errors were encountered: