Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular Expression Denial of Service (ReDoS) vulnerability #3527

Closed
MateuszKikmunter opened this issue Apr 6, 2023 · 3 comments
Closed

Regular Expression Denial of Service (ReDoS) vulnerability #3527

MateuszKikmunter opened this issue Apr 6, 2023 · 3 comments

Comments

@MateuszKikmunter
Copy link

Basic info:

  • Node.js version: 16.15.1
  • jsdom version: 21.1.0

Snyk reports that jsdom is vulnerable to Regular Expression Denial of Service (ReDoS)
Screenshot 2023-04-06 at 10 59 05

Minimal reproduction case

Run snyk scan against the package.
@MateuszKikmunter
Copy link
Author

Closing as there's a PR with a fix pending in the word-wrap repo.

@jacobleesinger
Copy link

It doesn't look like that PR's ever going to get merged 😞

@nchevsky
Copy link

For anyone else depending on jsdom <= 21, it's possible to upgrade escodegen to v2.1.0 which moves optionator from dependencies to devDependencies, removing word-wrap from the equation altogether.

Before

└─┬ jest-environment-jsdom@29.6.0
  └─┬ jsdom@20.0.1
    └─┬ escodegen@2.0.0
      └─┬ optionator@0.8.3
        └── word-wrap@1.2.3

After

└─┬ jest-environment-jsdom@29.6.0
  └─┬ jsdom@20.0.1
    └── escodegen@2.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nchevsky @jacobleesinger @MateuszKikmunter