Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apply backtracking protection to version 1.8.0 due to "[email protected]" #318

Closed
dotnet-fizzyy opened this issue Sep 10, 2024 · 8 comments
Closed

Apply backtracking protection to version 1.8.0 due to "[email protected]" #318

dotnet-fizzyy opened this issue Sep 10, 2024 · 8 comments

Comments

@dotnet-fizzyy
Copy link

Hi all!

Currently Git security bot raised an alert that path-to-regexp dependency with version ^1.7.0 is vulnerable in [email protected] (latest released react-router-dom) library.

Not really sure that react-router-dom with 5 version will be patched since team is completely focused on a new 6 version. Resolution with 8.0.0 in package.json does not help and breaks application on start with internal module error.

Would be perfect if this vulnerability will be fixed in terms of 1.x.x package version since there is no chance to migrate to latest react-router-dom release on current moment in project I am working on.

Appreciate your attention!
Thanks!
@fengmk2 fengmk2 mentioned this issue Sep 10, 2024
Closed
@jackcurtis-te
Copy link

I was just getting this too but I set my resolution to be version 0.1.10 and it seems fine now.

@blakeembrey
Copy link
Member

blakeembrey commented Sep 10, 2024
edited
Loading

It's extremely unlikely you are affected, see GHSA-9wv6-86v2-598j for the attack vector. It's also a non-issue as an attack vector in a browser, you'd just be DoSing your own browser.

Unfortunately I've spent months on this already and I don't have the income to support myself continuing to work on every release. If you would like to sponsor work on old versions that might be a possibility.

@micalevisk micalevisk mentioned this issue Sep 10, 2024
Closed
15 tasks
@blakeembrey
Copy link
Member

There is a 1.x branch in case you want to try porting the patch and opening a PR. The patch is roughly this: 29b96b4. Unfortunately it is also a breaking change, it's not possible to apply the fix without breaking something small.

@stbenjam
Copy link

stbenjam commented Sep 10, 2024
edited
Loading

react-router-dom v5 hasn't seen any updates in 2 years. While they claim there's no end-of-life, it seems likely it'll continue to rot. We're going to just move to v6, but since it's a lot of effort my app seems to work OK forcing the override in package.json for now.

  "overrides": {
    "path-to-regexp": "^0.1.10"
  },

Edit: this didn't work btw, one of our pages broke. We may just ignore this CVE, but npm audit doesn't have any such feature out of the box, I'll have to migrate to some third party tool.

@stbenjam stbenjam mentioned this issue Sep 10, 2024
Merged
@blakeembrey blakeembrey mentioned this issue Sep 10, 2024
Merged
@blakeembrey
Copy link
Member

blakeembrey commented Sep 10, 2024
edited
Loading

I have ported a fix into the 1.9.0 release and released it, it may break in extremely minor ways (e.g. /:a-:b with input /1-2-3 now matches 1-2 and 3, before 1 and 2-3) but neither is likely to occur in normal usage of the library.

@stbenjam
Copy link

Thank you so much @blakeembrey ❤️

@fengmk2
Copy link
Member

fengmk2 commented Sep 11, 2024

@blakeembrey Thanks a lot!

@dotnet-fizzyy
Copy link
Author

@blakeembrey Appreciate your contribution and support, works perfectly, thanks a lot! 🥇

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fengmk2 @stbenjam @blakeembrey @dotnet-fizzyy @jackcurtis-te