Request to Upgrade es5-ext Dependency to Resolve Veracode Vulnerability
Tringapps-Dharshan opened this issue · comments
Description:
I'm encountering a Veracode vulnerability (Regular Expression Denial of Service - ReDoS) in the es5-ext
dependency.
Vulnerability Details:
For more information about the vulnerability, refer to security.snyk.io.
Request:
To address this issue, I kindly request an upgrade of the es5-ext
package to version 0.10.63 or higher to resolve the Veracode vulnerability.
Resolved and pushed the updates to this pull request. Let me know if anything needs further attention.
Folks might it be possible to get this applied, es5-ext also results in socket.dev scanner errors due to it being protestware: medikoo/es5-ext#116
For what it's worth, I'm 200% on board with the protestware.
@theturtle32 I'm building quite sensitive medical software. I have a duty of care to patients that exceeds my political stance here. The addition of a postinstall script in an npm package is a high risk proposition from a supply chain point of view. I fully support the authors right to do what they want with their open source project, I just can't justify including that package in my software.
Although I realize that this change might have actually done the opposite of what I wanted here.
I've ended up with this in my package.json until I can remove the dependency entirely:
"resolutions": {
"es5-ext": "0.10.53"
},
This is what the scanner failures look like now @theturtle32: https://socket.dev/npm/package/websocket