Security issue with dependency ua-parser-js

crisp-im / node-crisp-api

:zap: Crisp API Node Wrapper

https://docs.crisp.chat/guides/rest-api/

MIT License

99 stars 39 forks source link

Security issue with dependency ua-parser-js #19

Closed creativityjuice closed 3 years ago

creativityjuice commented 3 years ago

Hi there,

Snyk find a severe security issue with a dependency in your package (see below). Could you update your dependency to fix that ?

  ✗ Regular Expression Denial of Service (ReDoS) [High Severity][https://snyk.io/vuln/SNYK-JS-UAPARSERJS-1023599] in ua-parser-js@0.7.22
    introduced by node-crisp-api@1.11.0 > fbemitter@2.0.2 > fbjs@0.7.2 > ua-parser-js@0.7.22
  This issue was fixed in versions: 0.7.23

Cheers,

creativityjuice commented 3 years ago

There is also another medium security issue with another dependency of the dependency fbemitter. It would be nice to fix that at the same time :

  ✗ Denial of Service [Medium Severity][https://snyk.io/vuln/SNYK-JS-NODEFETCH-674311] in node-fetch@1.7.3
    introduced by node-crisp-api@1.11.0 > fbemitter@2.0.2 > fbjs@0.7.2 > isomorphic-fetch@2.2.1 > node-fetch@1.7.3
  This issue was fixed in versions: 2.6.1, 3.0.0-beta.9

creativityjuice commented 3 years ago

Could you please fix there issue ?

eliottvincent commented 3 years ago

Partially fixed with version 1.11.1 (https://github.com/crisp-im/node-crisp-api/commit/efec81838727dec4ffee78ba233e911109ebf798). Second security issue is a no-fix for now as it hasn't been fixed yet by the sub-dependencies.

creativityjuice commented 3 years ago

Great, thanks a lot !