magnussp
commented
1 year ago Just encountered this as well as latest firebase-admin package is reliant on some packages that in turn is reliant on word-wrap.
Closed vianch closed 1 year ago
magnussp
commented
1 year ago Just encountered this as well as latest firebase-admin package is reliant on some packages that in turn is reliant on word-wrap.
eclousersans
commented
1 year ago Dealing with this as well. eslint depends on optionator which depends on word-wrap.
Any ETA on patch release?
eclousersans
commented
1 year ago Per this PR: https://github.com/jonschlinkert/word-wrap/pull/33
They aren't able to merge in due to bus factor and the original repo owner getting hit by a bus.
As a hack, they've published a new version under another package name.
Par for the course in JS community...
silverbackdan
commented
1 year ago As seen here https://github.com/jonschlinkert/word-wrap/pull/33#issuecomment-1611621997
"overrides": {
"word-wrap" : "npm:@aashutoshrathi/word-wrap"
}It appears this is currently a maintained version which you can override with.
jacquesg
commented
1 year ago This unfortunately breaks eslint for me:
Oops! Something went wrong! :(
ESLint: 8.43.0
Error: Cannot find module 'word-wrap'
Require stack:
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/help.js
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/index.js
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/eslint/lib/options.js
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/eslint/lib/cli.js
- /home/jacquesg/dev/projects/lossbook/antaeus/node_modules/eslint/bin/eslint.js
at Function.Module._resolveFilename (node:internal/modules/cjs/loader:933:15)
at Function.Module._load (node:internal/modules/cjs/loader:778:27)
at Module.require (node:internal/modules/cjs/loader:1005:19)
at require (node:internal/modules/cjs/helpers:102:18)
at Object.<anonymous> (/home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/help.js:6:14)
at Object.<anonymous> (/home/jacquesg/dev/projects/lossbook/antaeus/node_modules/optionator/lib/help.js:260:4)
at Module._compile (node:internal/modules/cjs/loader:1105:14)
at Object.Module._extensions..js (node:internal/modules/cjs/loader:1159:10)
at Module.load (node:internal/modules/cjs/loader:981:32)
at Function.Module._load (node:internal/modules/cjs/loader:822:12) I'm also on eslint 8.43.0 - is it possible there is some cache left-overs?
jacquesg
commented
1 year ago No, retried from clean as well. Ended up adding an override for optionator instead, which accomplishes the same thing effectively:
"overrides": {
"optionator" : "0.9.3"
}Interesting - pleased you found your solution too.
bjornjorgensen
commented
1 year ago Any updates?
mahnoorkazidh
commented
1 year ago npm audit doesn't fix it for me.. unfortunately. Any update on the solution?
larouxn
commented
1 year ago npm audit doesn't fix it for me.. unfortunately. Any update on the solution?
The best solution we have right now (from here) is to switch to a patched fork. https://github.com/jonschlinkert/word-wrap/pull/33#issuecomment-1509703360
"resolutions": {
"word-wrap": "npm:@aashutoshrathi/word-wrap@^1.2.4"
},Looks like eslint bumped their affected dependency optionator so that may work for you as well. https://github.com/eslint/eslint/issues/17117
"resolutions": {
"optionator": "^0.9.3"
}Non-Yarn users can use overrides in place of resolutions apparently. (haven't tried)
Lastly, it seems many have swapped over to the fork according to the fork's page on npmjs.org.
kachkaev
commented
1 year ago Duplicate of https://github.com/jonschlinkert/word-wrap/issues/32
Anmol-Baranwal
commented
1 year ago Hi, everyone.
I was looking for an answer, and never thought it would be as simple as this.
npm audit fixIt will ultimately update the version of the dependency package and it creates no problem.
For reference of the change, you can see here
doowb
commented
1 year ago Fixed in word-wrap@1.2.4.
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.