search

estools / escodegen

ECMAScript code generator
BSD 2-Clause "Simplified" License
2.64k stars 334 forks source link

word-wrap vulnerable to Regular Expression Denial of Service #459

Closed nbouvrette closed 11 months ago

nbouvrette commented 1 year ago

optionator 0.8.3 - 0.9.1 depends on a vulnerable version of word-wrap

The word-wrap package is vulnerable to Regular Expression Denial of Service.

Details here: https://github.com/advisories/GHSA-j8xg-fqg3-53r7

Please update to opionator to version 0.9.3 to fix this issue.

Dependency tree:

      └─┬ escodegen@1.14.3
        └─┬ optionator@0.8.3
          └── word-wrap@1.2.3
Adhikaripr commented 11 months ago

will we be getting any update on this?

nbouvrette commented 11 months ago

@michaelficarra is there any way you can help with this?

I think there is already a PR ready as well https://github.com/estools/escodegen/pull/457

michaelficarra commented 11 months ago

Duplicate of #458. You can upgrade to the latest version of escodegen to resolve this issue.

nbouvrette commented 11 months ago

My bad @michaelficarra I didn't realize optionator was removed in this commit