philihp / fields-of-arle

Fields of Arle Simulator
https://arle.philihp.com
GNU General Public License v3.0
19 stars 10 forks source link

Update dependency color-string to 1.5.5 [SECURITY] #720

Open renovate[bot] opened 1 year ago

renovate[bot] commented 1 year ago

Mend Renovate

This PR contains the following updates:

Package Change
color-string 1.5.4 -> 1.5.5

GitHub Vulnerability Alerts

CVE-2021-29060

In the npm package color-string, there is a ReDos (Regular Expression Denial of Service) vulnerability regarding an exponential time complexity for linearly increasing input lengths for hwb() color strings.

Strings reaching more than 5000 characters would see several milliseconds of processing time; strings reaching more than 50,000 characters began seeing 1500ms (1.5s) of processing time.

The cause was due to a the regular expression that parses hwb() strings - specifically, the hue value - where the integer portion of the hue value used a 0-or-more quantifier shortly thereafter followed by a 1-or-more quantifier.

This caused excessive backtracking and a cartesian scan, resulting in exponential time complexity given a linear increase in input length.


Configuration

πŸ“… Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

β™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

πŸ”• Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by Mend Renovate. View repository job log here.