ReDos Vulnerability in script-manager



  • Hi there,

    I am wondering if jsReport will provide a patch for the following vulnerability:

    0_1533659589535_upload-f4665c69-2c9c-4f25-b5e0-45146f664796

    Thanks!



  • I have commented on the nodesecurity project topic here

    We have just released the beta version of v2. We tried to update as much dependencies as we could across 100 repositories we maintain. Regardless our affords, the nsp report will always show some errors.
    Please understand that the security warning in such report has for jsreport typically no meaning. It is some kind of vulnerability in one of the 20 000 files jsreport use and in a function jsreport very likely not use at all. These reports are useful rather for libraries which needs to cover all possible vulnerabilities in which it can be used.
    Conclusion
    We update dependencies regularly during releases and make sure everything works in the stable way.
    Don't panic if you see an error in a "security report". It is likely not affecting you and the update of the dependency should come soon. However if you find vulnerability that directly affects jsreport, please let us know via email. Thank you.

    I verified the particular vulnerability and it affects function in external package we don't even use. Please send me email if I am wrong and there is a direct path how the vulnerability could be exposed. We would quickly react.

    Thank you



  • That makes perfect sense. Thanks!


Log in to reply
 

Looks like your connection to jsreport forum was lost, please wait while we try to reconnect.