WS-2015-0017 (Medium) detected in uglify-js-2.3.6.tgz

[mend-bolt-for-github]

WS-2015-0017 - Medium Severity Vulnerability

Vulnerable Library - uglify-js-2.3.6.tgz

JavaScript parser, mangler/compressor and beautifier toolkit

Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-2.3.6.tgz

Path to dependency file: /Book_trading_club/package.json

Path to vulnerable library: /tmp/git/Book_trading_club/node_modules/uglify-js/package.json

Dependency Hierarchy:

• hbs-3.1.1.tgz (Root Library)
  • handlebars-3.0.0.tgz
    • ❌ uglify-js-2.3.6.tgz (Vulnerable Library)

Vulnerability Details

Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().

Publish Date: 2015-10-24

URL: WS-2015-0017

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/48

Release Date: 2015-10-24

Fix Resolution: Update to version 2.6.0 or later

---

Step up your Open Source Security Game with WhiteSource here

[issue-label-bot]

Issue-Label Bot is automatically applying the label bug to this issue, with a confidence of 0.94. Please mark this comment with 👍 or 👎 to give our bot feedback!

Links: app homepage, dashboard and code for this bot.