Open renovate[bot] opened 1 year ago
This PR contains the following updates:
3.0.0
3.0.1
4.1.0
4.1.1
5.0.0
5.0.1
ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
Proof of Concept
import ansiRegex from 'ansi-regex'; for(var i = 1; i <= 50000; i++) { var time = Date.now(); var attack_str = "\u001B["+";".repeat(i*10000); ansiRegex().test(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") }
The ReDOS is mainly due to the sub-patterns [[\\]()#;?]* and (?:;[-a-zA-Z\\d\\/#&.:=?%@​~_]*)*
[[\\]()#;?]*
(?:;[-a-zA-Z\\d\\/#&.:=?%@​~_]*)*
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
3.0.0
->3.0.1
4.1.0
->4.1.1
5.0.0
->5.0.1
GitHub Vulnerability Alerts
CVE-2021-3807
ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes.
Proof of Concept
The ReDOS is mainly due to the sub-patterns
[[\\]()#;?]*
and(?:;[-a-zA-Z\\d\\/#&.:=?%@​~_]*)*
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.