date-and-time dependency security issue
zfan40 opened this issue · comments
问题描述:
vulnerability: date-and-time is an npm package for manipulating date and time. In date-and-time before version 0.14.2, there a regular expression involved in parsing which can be exploited to to cause a denial of service. This is fixed in version 0.14.2. remediation: Upgrade date-and-time from 0.12.0 to 0.14.2 to fix the vulnerability. vulnerability: Due to an overly permissive regular expression, the parsing of certain date strings may lead to a denial of service. remediation: Upgrade to version v0.14.2 vulnerability: date-and-time is vulnerable to Regular Expression Denial Of Service (ReDoS). The vulnerability is possible due to an overly permissive regular expression, the parsing of certain date strings may lead to a denial of service.
解决方案:
date-and-time@0.12.0
需要将依赖调整为^0.14.2
@git-qfzhang 能不能麻烦您帮助跟进一下,感谢