ljharb
commented
3 years ago Like almost every CVE, this is a false positive. It's not actually a vulnerability in the way enzyme uses cheerio/css-what. The proper thing to do is ignore the invalid warning.
No, we can't do such an update, because it's a breaking change. See https://github.com/enzymejs/enzyme/commit/cafdb2b86ed8865527cdd6ae31c42593d3728ceb#diff-851cdf11f11c6e614bb0fe08160c19509ddc5c33afb5499b98c244d7ca812e06 and https://github.com/cheeriojs/cheerio/issues/1585
Enzyme uses a
cheerioversion(1.0.0-rc.3) which has the older version ofcheerio-selectwithvulnerable(Denial of Service) css-what version.See here , uses "cheerio": "=1.0.0-rc.3"
Css-what, cheerio-select and cheerio have fixed this vulnerability in their latest versions released.
Can enzyme do an update to use the latest cheerio 1.0.0-rc.10 version ?
Note: I did see the other related issues that are in closed status. But this is still an issue for us in enzyme 3.11.0