Closed gamboaa closed 1 year ago
This is a development dependency that should not be run in production code. Denials of service attacks are only pertinent to long running public facing services. If someone manages to craft a cookie which causes chai-http to hang, then the user will kill the hanging test harness and move on with their day.
I'm closing this as wontfix.
The current version of this package depends on cookiejar@2.1.2 which has a known vulnerability.
CVE-2022-25901
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function, which uses an insecure regular expression.
─┬ chai-http@4.3.0 ├── cookiejar@2.1.2 └─┬ superagent@3.8.3 └── cookiejar@2.1.2 deduped