You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
What version of Winston presents the issue?
v3.6.0
What version of Node are you using?
v.12
If this worked in a previous version of Winston, which was it?
No response
Minimum Working Example
No response
Additional information
No response
The text was updated successfully, but these errors were encountered:
Thanks for the report!
As an FYI for the future, that is not the library homepage as labeled and a link to the posted vulnerability is helpful.
This appears to have been fixed in color-string 1.5.5.
The second line of your dependency tree is different than what I'm seeing and the switch to using a fork of the diagnostics package was in Winston as of 3.3.2 a couple years ago. I don't know why you're seeing something different.
🔎 Search Terms
color-string-1.5.3
The problem
Vulnerable Library - color-string-1.5.3.tgz
Parser and generator for CSS color strings
Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/color-string/package.json
Dependency Hierarchy:
winston-3.6.0.tgz (Root Library)
diagnostics-2.0.2.tgz
colorspace-1.1.2.tgz
color-3.0.0.tgz
❌ color-string-1.5.3.tgz (Vulnerable Library)
Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
What version of Winston presents the issue?
v3.6.0
What version of Node are you using?
v.12
If this worked in a previous version of Winston, which was it?
No response
Minimum Working Example
No response
Additional information
No response
The text was updated successfully, but these errors were encountered: