Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in dependency for Yo #780

Open
smartguest opened this issue Feb 7, 2023 · 2 comments
Open

Vulnerability in dependency for Yo #780

smartguest opened this issue Feb 7, 2023 · 2 comments

Comments

@smartguest
Copy link

smartguest commented Feb 7, 2023
edited

Type of issue

BUG

In a scan for one of our repos, we found a security issue inside Yo where "http-cache-semantics" is vulnerable to Regular Expression D-O-S:

CVE-2022-25881

This is caused by a transitive dependency found in the current version of Yo :

"[email protected] requires [email protected] via a transitive dependency on [email protected]"

The version of "http-cache-semantics" that is secure is 4.1.1.

Updating to Yo 4.3.1. did not fix this issue.

My environment

  • OS version/details: Windows 10 64-bit
  • Node version: 16.8.1 (run node --version in your terminal)
  • npm version: 8.12.1 (run npm --version in your terminal)
  • Version of yo : 4.3.1 (run yo --version in your terminal)
@dsokur
Copy link

dsokur commented Feb 13, 2023

@smartguest Hi, did you manage to fix it ?

@Logicer16 Logicer16 mentioned this issue May 27, 2023
Open
@strmer15 strmer15 mentioned this issue Nov 3, 2023
Merged
4 tasks
@strmer15
Copy link
Contributor

strmer15 commented Nov 3, 2023

I believe my changes in #794 fix this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@strmer15 @smartguest @dsokur