DoS vulnerability #1719
Comments
|
@callumacrae No, not true - there's absolutely no case where this would ever be a problem with gulp. I'm all for fixing security issues (literally used to be my job!) but this nodesecurity stuff is ridiculous. You could say the same "DoS exploit" about WARNING! var genstr = function (len) {
var result = [];
for (i=0; i<=len; i++) {
result.push(0);
}
return result;
}
var exploit = genarr(10000000000000000000);
// wow, incredible exploit.
console.log(“starting forEach”);
exploit.forEach(function() {
// haha owned! omg!
})
console.log(“finishing epic exploit”);Jokes aside, don't worry about this. If you have some crazy case where you're taking unsanitized user input and passing it directly into gulp.src you have other serious issues on your hands. |
|
Why not just update the dependency version? |
|
@erikvold it's called Semver. |
|
@erikvold There are breaking changes that would surface in our API, which means we would break our API and break other people's perfectly fine code to solve a non-problem. Our next breaking release uses the latest version, you can use that if the warning really bothers you. Real security vulnerabilities get backported by any means necessary, but non-issues like this get no priority and will be out in the next release. |
Node Security (nodesecurity.io) is reporting a vulnerability with the minimatch package this module implicitly depends on:
https://nodesecurity.io/advisories/118
The text was updated successfully, but these errors were encountered: