[GHSA-4gmj-3p3h-gm8h] es5-ext vulnerable to Regular Expression Denial of Service in function#copy and function#toStringTokens
#4433
Conversation
|
Hi there @medikoo! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
|
@github, this looks like some spammy submission. See @lukeocodes proposed changes and comment; it doesn't relate in any way to the problem covered by this security advisory. I believe this should just be closed |
|
It's not spammy. You're introducing an advisory which fails on other security tools including snyk. If anything, this is responsible disclosure. This cost us time in production, and we've pinned an earlier version as a result. |
|
@lukeocodes advisory you've attached to addresses RegEexp DoS vulnerability, originally reported here: medikoo/es5-ext#201 and successfully patched a while ago |
I have not linked to an advisory, I have linked to the latest version on socket.dev showing continued advisories related to https://github.com/medikoo/es5-ext/blob/main/_postinstall.js which conditionally prints content post install, targetted at Russian developers. This causes it to fail Protestware or potentially unwanted behavior. I obviously do not support Russia's invasion of Ukraine. I commend your intention, but publishing the list on post-install is not the way. es5-ext (regularly a transitive dependency) running a post-install script providing any content or protestware I feel is a abuse of the trust associated with open source. Not only that, by introducing something that can ignore output flags on CI interfaces, you potentially introduce a breaking change without respecting semver. It is also arguable that it is in contravension NPM's terms of use, as it is not relevant to the package, and could cause a hostile environment for people living in/amongst that situation who are helpless (or fearful) of trying to use a Tor mirror to circumvent restrictions. Respect people's right to choose whether to consume that information. Add it to your readme, remove the postinstall script. Again, I do commend your intention. |
|
@lukeocodes again, you've opened issue specifically in context RegExp DoS advisory, and what you're trying to imply here is totally unrelevant to that advisory. Please respect the time of others and do not spam around, there are other forums, where you can freely discuss issue you're raising here. |
|
It is relevant. You continue to raise these which impact (potentially) millions of projects where it proliferates prompts to update from earlier versions to ones that include an issue. Other "forums" are right, where you could move your message to your README and resolve this. People who've made similar suggestions on your projects have had their issue closed and/or deleted entirely. |
|
Hey @lukeocodes, as @medikoo points out, this is not the correct place to raise a complaint about the es5-ext npm package. This advisory is about a particular redos issue in versions Please reach out to npm support if you have other concerns about this package. |
Updates
Comments
I'm not sure if there is an improvement. Since
0.10.53some virus detectors have flagged this repository for doing illegalpostInstalloperations, related to posting anti-Russian news articles.There is a better place to share this information, and in the post install isn't it.