You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@senssoft.apache.org by "Joshua Poore (JIRA)" <ji...@apache.org> on 2019/01/13 23:35:00 UTC

[jira] [Commented] (SENSSOFT-322) minimatch deprecation: ReDOS vulnerability

    [ https://issues.apache.org/jira/browse/SENSSOFT-322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16741683#comment-16741683 ] 

Joshua Poore commented on SENSSOFT-322:
---------------------------------------

Solution #2 is a terrible idea. While it's possible to ensure that later versions of minimatch are running globally, updating downstream dependencies of gulp requires either a complicated npm link task, which seems complicated to walk users through, or it requires manually replacing minimatch <3.0.2 in subdirs. --a little too hackie to even consider for a short-term fix

 

[https://stackoverflow.com/questions/52966789/how-to-update-specific-sub-package-version-by-using-npm]

 

> minimatch deprecation: ReDOS vulnerability
> ------------------------------------------
>
>                 Key: SENSSOFT-322
>                 URL: https://issues.apache.org/jira/browse/SENSSOFT-322
>             Project: SensSoft
>          Issue Type: Bug
>          Components: UserALE.js
>    Affects Versions: UserALE.js 1.0.0, UserALE.js 1.1.0
>            Reporter: Joshua Poore
>            Assignee: Joshua Poore
>            Priority: Major
>             Fix For: UserALE.js 1.0.0, UserALE.js 1.1.0
>
>         Attachments: minimatch 2.0.7 vulnerability
>
>
> minimatch 2.0.7 has a ReDOS vulnerability. minimatch must be upgraded to ^3.0.2 to remove vulnerability. However, minimatch 2.0.7 is a dependency of  vinyl-fs, which is a dependency of gulp 3.9.1. Two potential options:
>  # The right way: update to gulp 4.0.0, which has breaking changes.
>  # The wonky way: coerce global environment to use minimatch 3.0.2 using "npm install -g minimatch@3.0.2". gulp 3.9.1 will still force installation of vinyl-fs, which will force installation of minimatch 2.0.7. However, coercing npm to install 3.0.2 should remove vulnerability. This solution is purely a downstream hack. see this thread: [https://stackoverflow.com/questions/38046392/npm-warn-deprecated-minimatch2-0-10-please-update-to-minimatch-3-0-2-or-higher/38077214]
> Will test #2 as an intermediate solution



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)