meendoo
commented
3 years ago Closed matthewoestreich closed 3 years ago
meendoo
commented
3 years ago 
ljharb
commented
3 years ago Given that you’re testing your own code with your own code, this does not seem like a vulnerability to me, at least via enzyme.
ljharb
commented
3 years ago Given both that this is a false positive here, and also that https://github.com/cheeriojs/cheerio/issues/1924#issuecomment-856883288 indicates that css-what < 4 is unaffected, and since we use v2.1, this can be closed: root:
$ npm explain css-what
css-what@2.1.3 dev
node_modules/css-what
css-what@"2.1" from css-select@1.2.0
node_modules/css-select
css-select@"~1.2.0" from cheerio@0.22.0
node_modules/cheerio
cheerio@"*" from gitbook-plugin-anchors@0.7.1
node_modules/gitbook-plugin-anchors
dev gitbook-plugin-anchors@"^0.7.1" from the root projectenzyme itself:
$ npm explain css-what
css-what@2.1.3
node_modules/css-what
css-what@"2.1" from css-select@1.2.0
node_modules/css-select
css-select@"~1.2.0" from cheerio@1.0.0-rc.3
node_modules/cheerio
cheerio@"=1.0.0-rc.3" from the root project
CVE-2021-33587
high severity
Vulnerable versions: < 5.0.1
Patched version: 5.0.1
The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.