-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
@vitest/expect vulnerable to CVE-2023-43646 #4194
Comments
@BreakBB as this is just a patch version release you should be able to update |
Yes @AriPerkkio you are absolutely right, thanks for pointing it out 👍🏻 It doesn't hurt though 😬 |
Guys, pardon my ignorance. I too came here about this vulnerability. I see vitest also listing |
You're really unlikely to hit the issue, you'd need to be running tests on an old browser (like IE or PhantomJS) and have very large function names, which would cause your test suite to hang. Running |
Describe the bug
@vitest/expect
holds a dependency to chai, which included a version of get-func-name vulnerable to CVE-2023-43646.vitest/packages/expect/package.json
Line 39 in 6a66b35
An fix was already pushed in
get-func-name
: chaijs/get-func-name@f934b22and
chai
: chaijs/chai#1539As soon as a new
chai
version is published, it should be included invitest/expect
.Reproduction
System Info
Used Package Manager
npm
Validations
The text was updated successfully, but these errors were encountered: