dylano
commented
3 years ago @dependabot merge
On Sun, Oct 17, 2021 at 12:23 PM dependabot[bot] @.***> wrote:
This automated pull request fixes a security vulnerability https://github.com/dylano/tw-reader/security/dependabot/react-app/package-lock.json/color-string/open (moderate severity).
Learn more about Dependabot security updates https://docs.github.com/github/managing-security-vulnerabilities/configuring-dependabot-security-updates.
Bumps color-string https://github.com/Qix-/color-string from 1.5.4 to 1.6.0. Release notes
Sourced from color-string's releases https://github.com/Qix-/color-string/releases.
1.6.0 Minor release 1.6.0
55 https://github.com/Qix-/color-string/issues/55 - Add support
for space-separated HSL
Thanks @htunnicliff https://github.com/htunnicliff for the contribution :) 1.5.5 (Patch/Security Release) - hwb() ReDos patch (low-severity)
Release notes copied verbatim from the commit message, which can be found here: 0789e21284c33d89ebc4ab4ca6f759b9375ac9d3
Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
A ReDos (Regular Expression Denial of Service) vulnerability
was responsibly disclosed to me via email by Colin on
Mar 5 2021 regarding an exponential time complexity for
linearly increasing input lengths for hwb() color strings.
Strings reaching more than 5000 characters would see several
milliseconds of processing time; strings reaching more than
50,000 characters began seeing 1500ms (1.5s) of processing time.
The cause was due to a the regular expression that parses
hwb() strings - specifically, the hue value - where
the integer portion of the hue value used a 0-or-more quantifier
shortly thereafter followed by a 1-or-more quantifier.
This caused excessive backtracking and a cartesian scan,
resulting in exponential time complexity given a linear
increase in input length.
Thank you Yeting Li and Colin Ife for bringing this to my
attention in a secure, responsible and professional manner.
A CVE will not be assigned for this vulnerability.
Commits
- 1a68f9e https://github.com/Qix-/color-string/commit/1a68f9e91266f504e33441fcab59af22fcb1358d 1.6.0
- 2b6f59c https://github.com/Qix-/color-string/commit/2b6f59cfa64288b6c1028e666d1ea8b6a4b0132e Add additional HSL examples to README
- 6f73e20 https://github.com/Qix-/color-string/commit/6f73e205202c95ba7e6fd5afdffedd4552579a38 Update HSL regular expression
- 0264546 https://github.com/Qix-/color-string/commit/02645465a23f5bcfb35bd44e29667397a4595ec2 Add tests for space-separated HSL syntax
- 966ae4d https://github.com/Qix-/color-string/commit/966ae4d80fc8f237674d099ce6214a9fb6a816bb 1.5.5
- 0789e21 https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3 fix ReDos in hwb() parser (low-severity)
- See full diff in compare view https://github.com/Qix-/color-string/compare/1.5.4...1.6.0
[image: Dependabot compatibility score] https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
- @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
- @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
- @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page https://github.com/dylano/tw-reader/network/alerts.
You can view, comment on, or merge this pull request online at:
https://github.com/dylano/tw-reader/pull/88 Commit Summary
- Bump color-string from 1.5.4 to 1.6.0 in /react-app https://github.com/dylano/tw-reader/pull/88/commits/631f2345c73f1df51ffd066c27d068f7779fffd4
File Changes
- M react-app/package-lock.json https://github.com/dylano/tw-reader/pull/88/files#diff-b6e81a2b8b7705d96b55e99ebf2e40fd352c30d0d4806042debdedb9b84454c9 (6)
Patch Links:
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/dylano/tw-reader/pull/88, or unsubscribe https://github.com/notifications/unsubscribe-auth/AASPSNAIEC4KXO3CUXAKHV3UHMPD5ANCNFSM5GFEQ4MQ .
Bumps color-string from 1.5.4 to 1.6.0.
Release notes
Sourced from color-string's releases.
Commits
1a68f9e1.6.02b6f59cAdd additional HSL examples to README6f73e20Update HSL regular expression0264546Add tests for space-separated HSL syntax966ae4d1.5.50789e21fix ReDos in hwb() parser (low-severity)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/dylano/tw-reader/network/alerts).