wbt
commented
2 years ago Thanks for the report! As an FYI for the future, that is not the library homepage as labeled and a link to the posted vulnerability is helpful. This appears to have been fixed in color-string 1.5.5. The second line of your dependency tree is different than what I'm seeing and the switch to using a fork of the diagnostics package was in Winston as of 3.3.2 a couple years ago. I don't know why you're seeing something different.
🔎 Search Terms
color-string-1.5.3
The problem
Vulnerable Library - color-string-1.5.3.tgz Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
winston-3.6.0.tgz (Root Library) diagnostics-2.0.2.tgz colorspace-1.1.2.tgz color-3.0.0.tgz ❌ color-string-1.5.3.tgz (Vulnerable Library)
Vulnerability Details A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
What version of Winston presents the issue?
v3.6.0
What version of Node are you using?
v.12
If this worked in a previous version of Winston, which was it?
No response
Minimum Working Example
No response
Additional information
No response