Vulnerability in transitive dependency trim-newlines

Question

Vulnerability in transitive dependency trim-newlines

karlhorky opened this issue 3 years ago · comments

Hi there, thanks for this package!

Transitive dependency chain: mozjpeg@6.0.0 -> logalot@2.1.0 -> squeak@1.3.0 -> lpad-align@1.1.2 -> meow@3.7.0 -> trim-newlines@^1.0.0

Vulnerability: GHSA-7p7h-4mm5-852v

Repro:

$ mkdir test-pkg
$ cd test-pkg
$ npm init -y
$ npm install mozjpeg
...
$ npm audit
# npm audit report

trim-newlines  <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Ref: kevva/logalot#4
Ref: kevva/squeak#4
Ref: kevva/lpad-align#5

Kornel · Answer 1 · Wed Jun 30 2021 19:41:55 GMT+0800 (China Standard Time)

This project does not support Node.js. Please report the bug to the person who is repackaging MozJPEG for Node.

Karl Horky · Answer 2 · Wed Jun 30 2021 21:30:11 GMT+0800 (China Standard Time)

Ah sorry, didn't look closely enough at this repo! 🤦‍♂️

There's an open issue over here in the repo for the mozjpeg npm package: imagemin/mozjpeg-bin#63