cookiejar Regular Expression Denial of Service via Cookie.parse function

Question

Jaykingamez opened this issue 2 years ago · comments

Describe the bug

Due to the use of superagent 8.0.5, which uses cookiejar version 2.1.3, a vulnerability is present in the latest package, GHSA-h452-7996-h45h.

A simple fix would be to update superagent's version to the latest.

Maxim I. · Answer 1 · Tue Feb 07 2023 22:14:37 GMT+0800 (China Standard Time)

any updates on this ?

Carson · Answer 2 · Tue Mar 07 2023 16:54:33 GMT+0800 (China Standard Time)

any updateds on this?

Rick Bergfalk · Answer 3 · Sat Mar 18 2023 13:54:33 GMT+0800 (China Standard Time)

For any Yarn users waiting on a fix... you can workaround this by adding the following resolutions field to your package.json:

  "resolutions": {
    "supertest/**/cookiejar": "^2.1.4"
  }