clemiller
commented
1 month ago Hi @leeliu48307,
The vulnerability you've encountered in the is_js package is due to a known issue with ReDoS (is_js GitHub Advisory), specifically in versions 0.9.0 and earlier. The is_js package does not have an available fix for this issue, and as such, we cannot patch this vulnerability within our project. The responsibility to fix this lies with the maintainers of is_js.
It's important to note that despite the vulnerability in the package, the application should still run as expected. Vulnerabilities like these typically pose a risk in scenarios where untrusted input is processed, leading to denial of service attacks. Running the application locally should not present a significant issue if proper security practices are followed and protected from untrusted inputs.
leeliu48307
Build app by npm install, got a lot dependance warning. Using npm audit, got the following error is_js* Severity: High is_js vulerability du to Regular Expression Denial of Service. No fix available node_modules/is_js.
I searched google and got the same error message. 'No fix available'. How to fix it, thanks.