Closed linhenry0417 closed 2 years ago
Is there any plan on fixing the vulnerability? It looks like the issue still exists in the latest 11.0.0 release. Thanks.
└─┬ express-openapi@11.0.0
└─┬ openapi-framework@11.0.0
└─┬ glob@7.1.6
└── minimatch@3.0.4
@jsdevel
@jsdevel Thanks for helping to address the issue. Was the issue fixed in the latest 11.0.1 release? I've tried to upgrade the package but minimatch
was still not upgraded.
└─┬ express-openapi@11.0.1
└─┬ openapi-framework@11.0.1
└─┬ glob@7.1.6
└── minimatch@3.0.4
@linhenry0417 it should have been. try wiping out node modules and re-install.
One of the dependencies
minimatch
has a vulnerability that is fixed in its later 3.0.5 version. Since the latest 10.1.0 release of express-openapi still uses an older version of minimatch (3.0.4), it will need to be fixed or updated to avoid the vulnerability.Type: vulnerability CVE: PRISMA-2022-0039 Sev.: high Package Name: minimatch Package Ver.: 3.0.4 Status: fixed in 3.0.5 Description: minimatch package versions before 3.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS). It's possible to cause a denial of service when calling function braceExpand (The regex /{.*}/ is vulnerable and can be exploited).