Resolve security issue CVE-2022-38900 #41
Conversation
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. Reported by github Dependabot last year; high severity
|
|
|
It may "allow" it, but the package.json says 0.2.0 and that's what's included. Since other folks use this module, specifically upgrading to the version that doesn't have the security violation resolves the problem. |
|
Do you mean that you have some tool that gives you warnings because source-map-resolve has the potential to install a vulnerable version? Shouldn’t it give you warnings based on what you actually install? But – anyway. I find it boring to use my free time to do things with this deprecated package that I don’t like. It might be easy to fix this thing, but in a couple of months there will be some other vulnerability in some other dependency and the cycle repeats. Or someone finds a vulnerability in source-map-resolve itself. Not fun. There is absolutely no reason to use source-map-resolve. It is deprecated. The things that depend on source-map-resolve are either deprecated, unmaintained or vulnerable, and they all have better alternatives. I would spend my time on upgrading instead. |
|
So why don't you turn over maintenance to someone who can spend a tiny amount of time to accept fixes. You created an open source module -- currently has 16,693,879 weekly downloads -- and you're unwilling to accept a PR to fix a security vulnerability?...Sad |
|
Your PR does not fix a security vulnerability. I suggest you fork the packages you use and maintain them. |
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
Reported by github Dependabot last year; high severity
bumped decode-uri-component to v0.2.2 which resolves th is issue