fix: avoid redos by replacing regex with string split

snyk / nodejs-lockfile-parser

Generate a Snyk dependency tree from package-lock.json or yarn.lock file

Other

59 stars 28 forks source link

fix: avoid redos by replacing regex with string split #221

Closed gemaxim closed 4 months ago

gemaxim commented 5 months ago

What this does

Instead of matching (..) groups, which has a redos vulnerability, split string by "(". This gets the string till the first occurence of "(". This works just fine because a package name cannot have "(" in its name (it shows up just as a separator).

snyksec commented 4 months ago

:tada: This PR is included in version 1.53.3 :tada:

The release is available on:

npm package (@latest dist-tag)
GitHub release

Your semantic-release bot :package::rocket: