Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for known vulnerability in url-loader version #3244

Closed
JaredVanderford opened this issue Oct 5, 2017 · 1 comment
Closed

Fix for known vulnerability in url-loader version #3244

JaredVanderford opened this issue Oct 5, 2017 · 1 comment
Labels
contributions: claimed difficulty: starter hacktoberfest
Milestone
1.0.x

Comments

@JaredVanderford
Copy link

Is this a bug report?

no

Can you also reproduce the problem with npm 4.x?

Yes

Environment

Irrelevant

Actual Behavior

There is a vulnerability identified by NSP in the version of url-loader currently set as a dependency.
"react-scripts@1.0.14 > url-loader@0.5.9 > mime@1.3.6 "

url-loader has fixed this issue since 0.6.
@Timer
Copy link
Contributor

Timer commented Oct 5, 2017

I'll accept a PR for this but there's no rush because it's for untrusted user input (& simply a DoS).

@Timer Timer added this to the 1.0.x milestone Oct 5, 2017
@Timer Timer closed this as completed in 62f0a83 Oct 5, 2017
zmitry pushed a commit to zmitry/create-react-app that referenced this issue Aug 14, 2018
@joshwiens @Timer
Update url-loader to 0.6.2 for mime ReDoS vuln (facebook#3246)
428eac9 
- Changelog: https://github.com/webpack-contrib/url-loader/blob/master/CHANGELOG.md
 - Reference issue:  https://nodesecurity.io/advisories/535

Fixes facebook#3244
@lock lock bot locked and limited conversation to collaborators Jan 21, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
contributions: claimed difficulty: starter hacktoberfest
Projects
None yet
Milestone
1.0.x
Development

No branches or pull requests
2 participants
@Timer @JaredVanderford