-
-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regex Denial of Service requires a semver major update to clean-css #3616
Comments
Also, it is to be noted that (apart from the difficulty in making See this comment by the author, who is doing releases just because of kindness:
Originally posted by @jakubpawlowicz in clean-css/clean-css#1105 (comment) |
@muxator that's right, |
Bumping The first one was more or less described in the documentation and in some Github isses. For the second one there was no other way than read the code and understand how to read a local file from an absolute path. Probably this is worth a documentation PR on Changes:
Resource inlining was simplified in clean-css 4.x, but now we can no longer give a base path in Gosh, this was hard to understand. |
Etherpad 1.7.5 uses
clean-css@3.4.19
, which contains a Regular Expression Denial of Service.A fix would require updating to
clean-css@4.2.1
, as shown bynpm audit
:The [documentation for clean-css 4.2.1 explains the breaking change]((https://github.com/jakubpawlowicz/clean-css/tree/v4.2.1#important-40-breaking-changes):
And this change affects Etherpad:
etherpad-lite/src/node/utils/Minify.js
Line 418 in 357780d
The text was updated successfully, but these errors were encountered: