Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regular Expression Denial of Service #11116

Closed
kaleb-kougl4 opened this issue Jun 16, 2021 · 5 comments
Closed

Regular Expression Denial of Service #11116

kaleb-kougl4 opened this issue Jun 16, 2021 · 5 comments

Comments

@kaleb-kougl4
Copy link

normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
@Grace-Dmello
Copy link

Grace-Dmello commented Jun 16, 2021
edited
Loading

Facing the same issue. High-risk vulnerabilities.

css-what >=5.0.1
immer >=8.0.1

@cricketnest
Copy link

Facing the same issue.

@croraf
Copy link

croraf commented Jun 21, 2021

Can this be cosed in favor of: #11012 ?

@stahlmanDesign stahlmanDesign mentioned this issue Jun 21, 2021
Open
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

These warnings are false positives. There are no actual vulnerabilities affecting your app here.

To fix npm audit warnings, move react-scripts from dependencies to devDependencies in your package.json.

That will remove the false positive warnings.

I agree with the point in #11102 and will make this change so that new projects don't keep having these false positive warnings.

If you want to discuss this, please comment in #11102.

@gaearon gaearon closed this as completed Jul 2, 2021
@facebook facebook locked as resolved and limited conversation to collaborators Jul 2, 2021
@gaearon
Copy link
Contributor

gaearon commented Jul 2, 2021

Please see #11174.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gaearon @croraf @cricketnest @Grace-Dmello @kaleb-kougl4