Fixes known vulnerability CVE-2017-18077

gotwarlost / istanbul

Yet another JS code coverage tool that computes statement, line, function and branch coverage with module loader hooks to transparently add coverage when running tests. Supports all JS coverage use cases including unit tests, server side functional tests and browser tests. Built for scale.

Other

8.7k stars 785 forks source link

Fixes known vulnerability CVE-2017-18077 #869

Open ivoputzer opened 6 years ago

ivoputzer commented 6 years ago

Known vulnerability found CVE-2017-18077 (Moderate severity) index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.

update suggested:

brace-expansion ~> 1.1.7

currently a transitive dependency of:

istanbul@0.4.5  ~> glob@5.0.15 ~> minimatch@3.0.3 ~> brace-expansion@1.1.6

ivoputzer commented 6 years ago

I'm totally aware of prior deprecation notice as of #809 though this might deserve some attention @gotwarlost @davglass

cheers.

coveralls commented 6 years ago

Coverage remained the same at 97.523% when pulling ccbb6196de3a7160acc2f76a6f5be4aa9a04104f on ivoputzer:patch-1 into bc84c315271a5dd4d39bcefc5925cfb61a3d174a on gotwarlost:master.