search

webpack-contrib / webpack-hot-middleware

Webpack hot reloading you can attach to your own server
MIT License
2.34k stars 296 forks source link

ReDoS Vulnerability #412

Closed pedantic79 closed 3 years ago

pedantic79 commented 3 years ago

How Do We Reproduce?

This is a vulnerability in ansi-html, which this package depends on. To repro, you can use the command below as described Tjatse/ansi-html#19.

Unfortunately, ansi-html seems to be unmaintained. There were several options discussed about what to do here webpack/webpack-dev-server#3576 and was fixed by switching to a fork of ansi-html called ansi-html-community. It was merged here webpack/webpack-dev-server#3801

While this package shouldn't be running in production, using unmaintained packages is an issue and vulnerability scanners pickup the fact that any project using webpack-hot-middleware is pulling in the vulnerable ansi-html package.

createthis commented 3 years ago

Will there be a release based on this?

glenjamin commented 3 years ago

Released in 2.25.1