search

foreversd / forever

A simple CLI tool for ensuring that a given script runs continuously (i.e. forever)
http://github.com/foreverjs/forever
MIT License
13.86k stars 946 forks source link

Security vulnerability reported by snyk #975

Open juan55860 opened 6 years ago

juan55860 commented 6 years ago

This vulnerability is reported by snyk

Regular Expression Denial of Service (ReDoS) Vulnerable module: timespan Introduced through: timespan@2.3.0

https://snyk.io/test/npm/forever/0.15.3?severity=high&severity=medium&severity=low

jamesfiltness commented 6 years ago

NSP checker also reported this. Looks like it boils down to fsevents needing to update their version of the Tough Cookie package: There's an open issue here: https://github.com/strongloop/fsevents/issues/187

The dependency chain looks like this: forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > request@2.81.0 > tough-cookie@2.3.2

rahul-desai3 commented 5 years ago

I created https://github.com/foreverjs/forever/issues/960 to handle the vulnerabilities reported by NSP and SNYK.

kibertoad commented 5 years ago

Addressed by https://github.com/foreverjs/forever/pull/1014