search

foreversd / forever-monitor

The core monitoring functionality of forever without the CLI
MIT License
1.16k stars 178 forks source link

Fix for Regular Expression Denial of Service (ReDoS) - please release new version #174

Open Arun-KumarH opened 5 years ago

Arun-KumarH commented 5 years ago

for-ever monitor is using an old version of chokidar "chokidar": "^1.7.0" and this has a dependency on braces package which has below vulnerability.

WS-2019-0019
(https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451)
moderate severity
Vulnerable versions: < 2.3.1
Patched version: 2.3.1

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Can we expect a new release after the dependencies being updated ?

kibertoad commented 5 years ago

@indexzero

JoBrad commented 5 years ago

Any updates on getting a new release pushed that fixes this? Thanks.

christonomous commented 5 years ago

+1

MattyJ007 commented 5 years ago

:+1: Pretty please