RegEx DoS attack in debug@2.x.x package

get-alex / alex

Catch insensitive, inconsiderate writing

https://alexjs.com

MIT License

4.82k stars 207 forks source link

RegEx DoS attack in debug@2.x.x package #229

Closed MrBenJ closed 6 years ago

MrBenJ commented 6 years ago

Subject of the issue

There's a low severity vulnerability issue with the debug package used in babel 6 and Ava for tests.

Your environment

MacOS 10.13.5
Node v8.2.1 npm v6.1.0

Steps to reproduce

Start a new project with npm init Install alex with npm install alex Notice the npm audit security vulnerability appear.

Expected behaviour

There should be no security vulnerabilities when installing alex

Actual behaviour

There is a low severity security vulnerability.

Offer of assistance

I can refactor the tests and upgrade ava to ava@next which uses Babel 7, and remove the old dependency of debug v2 to remove this vulnerability.

If this offer of assistance sounds good, go ahead and assign this issue to me and I'll take care of it right away!

Thank you for creating a wonderful project to contribute to!

wooorm commented 6 years ago

I think this issue isn’t really a problem, as this is just stuff user for development. It’s not like we’re running a server that could crash (in which case this would be a problem).

I do think that other people will see this warning and take it too literally though, so I’m fine with upgrading to ava@next 👍

MrBenJ commented 6 years ago

I totally agree with you on that @wooorm - The reason I'm bringing this up is that Github and npm both show big warnings on my repos that use your project. They look a little like this: screen shot 2018-10-11 at 9 03 19 am

While it's alarming, it really isn't that bad of an issue, since like you said, Alex isn't running a server or similar.

I'll go ahead and fix this up for you. PR incoming before end of day today :) (USA time)

MrBenJ commented 6 years ago

Hello!

I found the root cause of the npm audit issue. It's here: https://github.com/alessioalex/git-spawned-stream/pull/5

I submitted a PR to that project as well. Those tests are passing right now and hopefully we can get this all taken care of :D.

As a quick side note, there's this great free tool I use to keep dependencies up to date called Greenkeeper.

Thanks again! Appreciate you maintaining this awesome project :)

alessioalex commented 6 years ago

Issue fixed in git-spawned-stream, published version 1.0.1 to npm already.

wooorm commented 6 years ago

Perfect! OK if I close this?

alessioalex commented 6 years ago

fine by me, sure!