Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

decode-uri-component - high vulnerability #89

Open
gustawdaniel opened this issue May 3, 2023 · 1 comment
Open

decode-uri-component - high vulnerability #89

gustawdaniel opened this issue May 3, 2023 · 1 comment

Comments

@gustawdaniel
Copy link

There is many open issues for dependencies. Eg this one:

#81

npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐                                      
│ High          │ decode-uri-component vulnerable to Denial of Service (DoS)   │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Package       │ decode-uri-component                                         │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Patched in    │ >=0.2.1                                                      │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Dependency of │ esbuild-jest [dev]                                           │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Path          │ esbuild-jest > babel-jest > @jest/transform > jest-haste-map │                                      
│               │ > sane > micromatch > braces > snapdragon >                  │                                      
│               │ source-map-resolve > decode-uri-component                    │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ More info     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq            │                                      
└───────────────┴──────────────────────────────────────────────────────────────┘                                      
┌───────────────┬──────────────────────────────────────────────────────────────┐                                      
│ High          │ decode-uri-component vulnerable to Denial of Service (DoS)   │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Package       │ decode-uri-component                                         │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Patched in    │ >=0.2.1                                                      │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Dependency of │ esbuild-jest [dev]                                           │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤                                      
│ Path          │ esbuild-jest > babel-jest > @jest/transform > jest-haste-map │                                      
│               │ > sane > anymatch > micromatch > braces > snapdragon >       │                                      
│               │ source-map-resolve > decode-uri-component                    │                                      
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ decode-uri-component vulnerable to Denial of Service (DoS)   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ decode-uri-component                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ esbuild-jest [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ esbuild-jest > babel-jest > @jest/transform > jest-haste-map │
│               │ > sane > anymatch > micromatch > extglob > expand-brackets > │
│               │ snapdragon > source-map-resolve > decode-uri-component       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://github.com/advisories/GHSA-w573-4hg7-7wgq            │

@aelbore can you merge them and publish new release? Can I help you with this?

@gustawdaniel
Copy link
Author

I am rather sad writing this, because I was recommending this library many times, but now to fix this vulnerability I removed this library from my project.

npm remove esbuild-jest

replaced it by esbuild-jest-transform

npm install -D esbuild esbuild-jest-transform

then

removed all imports from @jest/globals, eg.:

import {describe, expect, it} from '@jest/globals';

finally in jest.config.js changed

	transform: {
		'^.+\\.(ts|tsx)$': 'esbuild-jest'
	},

to

	transform: {
		'^.+\\.(ts|tsx)$': 'esbuild-jest-transform'
	},

I can confirm, that migration was successful without complications. You can read more about differences between esbuild-jest and esbuild-jest-transform in issue:

AkifumiSato/esbuild-jest-transform#8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant