Depends on vulnerable versions of three

[RoopanV]

npm audit gives below error

three <0.125.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1639 No fix available node_modules/three videojs-vr * Depends on vulnerable versions of three node_modules/videojs-vr

version installed "videojs-vr": "^1.8.0",

[promethyttrium]

found 11210 vulnerabilities (985 moderate, 10225 high) -- gives a deal of confidence...

[gkatsev]

I'm not seeing that many vulnerabilities. When running npm audit --production I'm seeing two, one for threejs and the other because the locally installed version of video.js has a potential vulnerability.

found 2 vulnerabilities (1 moderate, 1 high) in 31 scanned packages

Looking at the advisory, I'm not sure if it really applies here. We never call THREE.Color() directly.

Also, it seems like versions newer than the one that we use have removed some of the files that we depend upon and like means that updating is a non-trivial task. Unfortunately, we don't really have much bandwidth to look into this. If someone is able to take a look and figure out how to update things, we'd be incredibly grateful.

[gkatsev]

Decided most expedient way of fixing this is by vendoring the files. See https://github.com/videojs/videojs-vr/pull/247 @RoopanV or @promethyttrium can you try out the PR and verify whether things continue working as expected for you?

[gkatsev]

I've published this as 1.10.0. It's tagged next on npm. Please try it out and let me know if there are issues, thanks.

[andreas-venturini]

I tested this with a 360° video in equirectangular format, it works.

I noticed these warnings in the console - which might or might not be an issue for unrelated functionality of this plugin: