CVE-2021-33587

[oze4]

CVE-2021-33587

high severity

Vulnerable versions: < 5.0.1

Patched version: 5.0.1

The css-what package before 5.0.1 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.

[meendoo]

Worth checking - https://github.com/cheeriojs/cheerio/issues/1924#issuecomment-856883288

[ljharb]

Given that you’re testing your own code with your own code, this does not seem like a vulnerability to me, at least via enzyme.

[ljharb]

Given both that this is a false positive here, and also that https://github.com/cheeriojs/cheerio/issues/1924#issuecomment-856883288 indicates that css-what < 4 is unaffected, and since we use v2.1, this can be closed: root:

$ npm explain css-what
css-what@2.1.3 dev
node_modules/css-what
  css-what@"2.1" from css-select@1.2.0
  node_modules/css-select
    css-select@"~1.2.0" from cheerio@0.22.0
    node_modules/cheerio
      cheerio@"*" from gitbook-plugin-anchors@0.7.1
      node_modules/gitbook-plugin-anchors
        dev gitbook-plugin-anchors@"^0.7.1" from the root project

enzyme itself:

$ npm explain css-what
css-what@2.1.3
node_modules/css-what
  css-what@"2.1" from css-select@1.2.0
  node_modules/css-select
    css-select@"~1.2.0" from cheerio@1.0.0-rc.3
    node_modules/cheerio
      cheerio@"=1.0.0-rc.3" from the root project