Project

General

Profile

Bug #27103

update npm diff package due to security alert

Added by Ohad Levy 4 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
JavaScript stack
Target version:
-

Description

WS-2018-0590 More information
high severity
Vulnerable versions: < 3.5.0
Patched version: 3.5.0
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

this was fixed at https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0

Associated revisions

Revision 18649478 (diff)
Added by Ohad Levy 3 months ago

fixes #27103 - bump npm diff package version

Revision e8ec883f (diff)
Added by Ewoud Kohl van Wijngaarden 3 months ago

Refs #27103 - Allow diff 4.x in unidiff

Revision 7d385371 (diff)
Added by Ewoud Kohl van Wijngaarden 3 months ago

Refs #27103 - Pin diff to a major version

18649478cb128591738f97931f98632fd966d1f2 pinned it to a lower bound, but
for our dependencies it's better to follow semver and not blindly allow
new major versions.

History

#1 Updated by The Foreman Bot 4 months ago

  • Assignee set to Ohad Levy
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/6853 added

#2 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Triaged changed from No to Yes
  • Fixed in Releases 1.23.0 added

#3 Updated by Ohad Levy 3 months ago

  • Status changed from Ready For Testing to Closed

#4 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman-packaging/pull/3902 added

#5 Updated by The Foreman Bot 3 months ago

  • Pull request https://github.com/theforeman/foreman/pull/6889 added

#6 Updated by Tomer Brisker 2 months ago

  • Category changed from Security to JavaScript stack

Also available in: Atom PDF