ws affected by a DoS when handling a request with many HTTP headers - Githubissues

facebook / docusaurus

Easy to maintain open source documentation websites.

https://docusaurus.io

MIT License

55.87k stars 8.37k forks source link

ws affected by a DoS when handling a request with many HTTP headers #10234

Closed jy95 closed 3 months ago

jy95 commented 3 months ago

Have you read the Contributing Guidelines on issues?

[X] I have read the Contributing Guidelines on issues.

Prerequisites

[X] I'm using the latest version of Docusaurus.
[X] I have tried the npm run clear or yarn clear command.
[X] I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
[X] I have tried creating a repro with https://new.docusaurus.io.
[X] I have read the console error message carefully (if applicable).

Description

Reproducible demo

https://github.com/jy95/fhir-dosage-utils/tree/main/documentation

Steps to reproduce

npm install
npm audit

Expected behavior

No CSV

Actual behavior

Your environment

No response

Self-service

[ ] I'd be willing to fix this bug myself.

slorber commented 3 months ago

As explained in many other issues already, we don't plan to fix theoretical DOS vulnerabilities reported by npm audit, unless you prove how the vulnerability can be harmful to Docusaurus users.

A docusaurus site has no runtime and does not use WS. Only the dev server does. If you try to DOS yourself through that vulnerability, we don't plan to fix that sorry 😅

The reasons are explained here: https://overreacted.io/npm-audit-broken-by-design/