wooorm
commented
2 years ago Don‘t worry about it. These security advisories are typically bullshit. See also: https://overreacted.io/npm-audit-broken-by-design/. And see the PoC: https://snyk.io/vuln/SNYK-JS-TRIM-1017038. What that means is that your code could potentially become a bit slow when someone throws MBs of data at you, but then again: this project tries to detect what language that document is in, and that’s much slower comparatively than removing a few spaces.
I am using franc-all @6.0.0, on doing npm audit it shows high severity vulnerabilities in trim as franc-all @6.0.0 depends on trigram-utils => trim
On further investigation found that,
Versions of trim lower than 0.0.3 are vulnerable to Regular Expression Denial of Service (ReDoS) via trim(). https://www.npmjs.com/advisories/1700 Upgrade to version 0.0.3 or later
So upgrading to latest trigram-utils should resolve the issue