Dependency of vulnerable css-select is causing dependabot issues in other projects

marionebl / svg-term-cli

Share terminal sessions via SVG and CSS

MIT License

3.57k stars 118 forks source link

Dependency of vulnerable css-select is causing dependabot issues in other projects #85

Open palminha opened 2 years ago

palminha commented 2 years ago

causing problems in create-react-app (react-scripts) https://github.com/facebook/create-react-app/issues/12132

caused by a moderate vulnerability:

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  0.4.2 - 1.3.2
    Depends on vulnerable versions of css-select
    Depends on vulnerable versions of js-yaml
    node_modules/svgo

marionebl commented 2 years ago

Looking at the advisory this seems like security noise to me - you could attack yourself by crafting an inefficiently matched string as input to SVGO via svg-term-cli.

Pasting

while true do echo "."; done

seems like the simpler choice if you desire to do so though 🤷

That being said - if you care about this upgrade in particular I'm happy to review a PR.