apply backtrack protection to version 3.2.0 because of nestjs #317
Comments
|
Bump. Please can someone look into this. I don't think upgrading to v8.0.0 or downgrading to v0.1.10 in NestJS is feasible. It could introduce breaking changes which could delay the vulnerability fix from being applied in NestJS. The best short-term solution imho is to patch v3.2.0 which would allow NestJS to get the fix sooner. |
|
It's extremely unlikely you are affected, see GHSA-9wv6-86v2-598j for the attack vector. It's also a non-issue as an attack vector in a browser, you'd just be DoSing your own browser. Unfortunately I've spent months on this already and I don't have the income to support myself continuing to work on every release. If you would like to sponsor work on old versions that might be a possibility. |
|
I also just created a 3.x branch in case you'd like to open a PR to port the patch. You need to be aware that the 0.1.x patch was a breaking change for some users, it's not possible to do this patch without a breaking change. |
|
I have published a 3.3.0 with backtracking protection, but please beware that some use-cases may be broken as a result or have changed what it matches partially (due to avoiding backtracking, e.g. |
|
@blakeembrey i'm curious, the CVE still lists the patched version as being >8 — although it's now been resolved in 3.3.0. How does/will this GHSA-9wv6-86v2-598j be updated to include v3.3.0 as a patched version to this vuln? |
|
I honestly don't know, I updated it on my side but it's the first time I've tried to do this after an audit and there's no way to manually update the published advisory now. From https://github.blog/changelog/2019-12-20-edit-github-security-advisories-after-publish/, it looks like I'm waiting for a GitHub review manually:
|
nestjs uses this package in version 3.2.0 could someone apply the patch: for this version.
29b96b4
nestjs/nest#13955
The text was updated successfully, but these errors were encountered: