search

jonschlinkert / kind-of

Get the native JavaScript type of a value, fast. Used by superstruct, micromatch and many others!
https://github.com/jonschlnkert
MIT License
347 stars 38 forks source link

kind-of-4.0.0 Vulnerability issue #34

Closed karthiRajendran closed 4 years ago

karthiRajendran commented 4 years ago

We have facing the Vulnerability in the WhiteSource Bolt Build Report for the library "kind-of-4.0.0 (File: index.js)", below i have given the error details. we have upgraded the fresh module to latest version of 0.5.2 as mentioned in the error description, still the error not getting resolved, Kindly suggest us.

Vulnerability : CVE-2017-16119

Library: kind-of-4.0.0 (File: index.js)

Description: Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition. Fix : Upgrade to version 0.5.2 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16119

doowb commented 4 years ago

I suggest to ask whitesource about it because there are not vulnerabilities in kind-of@4.0.0 and I don't see kind-of used in fresh. I also don't see any mention of kind-of in the CVEs that you linked.

karthiRajendran commented 4 years ago

Thanks for your reply, just for your reference below i have attached the whitesource report screenshot. whitesource-report