fredludlow
commented
1 year ago My understanding is the three.js code has a vulnerability that means malicious input can cause it to take a very long time to execute some functions. I think this class of vulnerability is more important if it's code that's running on your server (e.g. if this was a vulnerability in a JS webserver package whereby a malicious request causes the node process to stall/hang then you'd have a problem). Given the relevant code runs on the client, I don't think it's a problem.
In any case, updating three.js is some housekeeping we need to do at some point, so this will disappear in due course.
CLLPCH
Dear NGL team,
I use ngl@2.1.0 in my React application. Everything works perfectly. Today I noticed that Dependabot on GitHub has a vulnerability alert for three.js.
I am wondering if anyone here had the same alert and would like to hear your thoughts on how to deal with this issue.
Thank you (and thanks for your great work).