Regular Expression Denial of Service (ReDoS)
tomhsiao1260 opened this issue · comments
Yesterday there was a new npm report on dat.gui, which states that dat.gui would result in a severity vulnerability (would get a warning message after using "npm i dat.gui" command). Can anyone explain more about this warning?
Oh, I found that someone has already sent a PR #279 (7 months ago). Hope it can be merged as soon as possible to remove this severity vulnerability warning.
@tomhsiao1260 could you possibly re-open this issue?
Seems that this project is no longer maintained by its owner. Though this issue has already fixed in this GitHub repo, the npm version (published a year ago ...) is still not updated. It is worth mentioning that Mr.doob (three.js project owner) also tried to access the dat.gui npm package 3 months ago in order to fix this vulnerability. But it seems that there is no further progress.
However, in my opinion, ReDos attack is harmless when developing a frontend-only projects. So if you still want to use this tool without showing the severity vulnerability, you can use them locally like what I did in this project.
Thank you @tomhsiao1260 for the clarification and for having reopened the issue!
do we have any updates on this? :)
Yes, can we at least bump the current git master to version 0.7.8 so we do not get the warning if we add
"dat.gui": "git+https://github.com/dataarts/dat.gui.git",
to our package.json dependencies.
Finally, someone tried an alternative to dat.gui
🙌
lil-gui: https://github.com/georgealways/lil-gui
related issue: mrdoob/three.js#22765
0.7.8 is now on npm with the fix.
But yes, please migrate to lil-gui
if you can 🙏