You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 6, 2024. It is now read-only.
As a BEARS security engineer, in order to address outstanding ReDoS security findings, I would like update our dependencies to incorporate ReDoS-resistant tooling .
Security findings 6 (css-what) and 10 (glob-parent) relate to our use of Nuxt v2.15.8. These findings are both considered "moderate" and relate to "ReDoS" (Regular Expression Denial of Service) vulnerabilities.
Unfortunately, 2.15.8, released on August 11, 2021, is the current release. The most recent commit to the default branch was on December 17, 2021.
It appears that nuxt v2 isn't receiving active development. Issue #9284 was created when the issue was discovered. It seems like attention is being focused on v3 and the v2 => v3 bridge projects.
For what it's worth, a release candidate of v3 is currently (May, 2022) available. That said, v2 => v3 is a major release and, by semantic versioning standards, involves changes that are not backwards-compatible. It's entirely possible that we'll need to rewrite some code to go from v2 to v3.
Pre-conditions:
a version of Nuxt is available that address concerns with css-what and glob-parent
User Story
As a BEARS security engineer, in order to address outstanding ReDoS security findings, I would like update our dependencies to incorporate ReDoS-resistant tooling .
Security findings 6 (
css-what
) and 10 (glob-parent
) relate to our use of Nuxt v2.15.8. These findings are both considered "moderate" and relate to "ReDoS" (Regular Expression Denial of Service) vulnerabilities.Unfortunately, 2.15.8, released on August 11, 2021, is the current release. The most recent commit to the default branch was on December 17, 2021.
It appears that
nuxt
v2 isn't receiving active development. Issue #9284 was created when the issue was discovered. It seems like attention is being focused on v3 and the v2 => v3 bridge projects.For what it's worth, a release candidate of v3 is currently (May, 2022) available. That said, v2 => v3 is a major release and, by semantic versioning standards, involves changes that are not backwards-compatible. It's entirely possible that we'll need to rewrite some code to go from v2 to v3.
Pre-conditions:
css-what
andglob-parent
Acceptance Criteria:
Definition of Done:
The text was updated successfully, but these errors were encountered: