Getting Regular Expression Denial of Service

[ghost]

Ran audit on this package and following is the vulnerability report. Getting Regular Expression Denial of Service as a High risk vulnerability ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ webpack [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ webpack > watchpack > chokidar > fsevents > node-pre-gyp > │ │ │ request > http-signature > sshpk │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/606 │ └───────────────┴──────────────────────────────────────────────────────────────┘

[ChALkeR]

@yogenpatel This is not a problem of sshpk.

sshpk has a fixed version, namely 1.14.1 (like the "more info" link states 😉).

This is an issue of whatever package having outdated dependencies resulting in an old sshpk version being installed in your project.

I suggest closing this issue here and opening it in the right repo.

[ChALkeR]

@yogenpatel Given that Snyk doesn't complain on a recent webpack version, probably the issue you are observing is caused by the fact that you are using an old webpack version or an outdated node_modules directory. Consider updating to a recent webpack version and updating your node_modules dir.

[ChALkeR]

@tolnai @caioincau ^^

Also — you are not alone, I have seen people doing this mistake multiple times already. Perhaps npm audit report needs to be rephrased to avoid this, atm they assume that people follow the «more details» link, it seems.

[arekinath]

It sounds like this was sorted out, so I'm going to close it. Please re-open if I got it wrong.