Closed jstoiko closed 5 years ago
wsolem
commented
5 years ago Is there an update on this? All versions of doT have this security vulnerability, and the package hasn't been updated in two years, so it doesn't look like a fix in that package is coming soon. https://github.com/olado/doT/issues/281
jstoiko
commented
5 years ago @postatum: can you please take a look?
postatum
commented
5 years ago @postatum: can you please take a look?
We only use dot.compile function and have about 2-3 use cases so I think we can rework node-request-error-handler without dot by just implementing version of dot.compile that fits our specific cases.
Igua95
commented
5 years ago Hi @postatum, do you have an ETA for this issue? We are also having this security threat on our codebase and we would appreciate having a fix in the following days. I'll stay tuned to this issue đź‘Ť
jstoiko
commented
5 years ago For the record, I don’t think this impacts us as there is no user input involved. This will be prioritized accordingly. I discussed this earlier with @wsolem, feel free to reach out if you need more details.
Btw, this has been a known caveat discussed way before the advisory: https://github.com/olado/doT/issues/242 and it’s my understanding that this is a community-reported advisory (Hackerone) that is still open / unresolved only because the authors did not answer. Not to dismiss the importance of addressing those types of issues in general, but to put things in perspective.
https://nodesecurity.io/advisories/798