Skip to content

Add support of new native methods. Fix vulnerabily#10

Open
andrushkin2 wants to merge 3 commits intocomponent:masterfrom
andrushkin2:master
Open

Add support of new native methods. Fix vulnerabily#10
andrushkin2 wants to merge 3 commits intocomponent:masterfrom
andrushkin2:master

Conversation

@andrushkin2
Copy link

@andrushkin2 andrushkin2 commented Oct 9, 2022

Hey there!

The lib is a dependecy of the StoryBook project.
Current version of the lib has a vulnerabily so I fixed it and also added support of new native String methods:

  • .trimStart(str)
  • .trimEnd(start)

Feel free to ask questions

@Trott
Copy link

Trott commented Oct 9, 2022

Hi. The current version of the dependency does not have a vulnerability, but it is also not hosted in this repository. It's hosted at https://github.com/Trott/trim instead.

Unfortunately, I don't have access to close this issue or archive this repository or anything like that.

@Trott
Copy link

Trott commented Oct 9, 2022
edited
Loading

A StoryBook yarn.lock file is currently pointing to version 0.0.1 of trim. Update to at least version 0.0.2 (released almost two years ago) for the vulnerability fix (although there's probably no reason not to go 0.0.3, or for that matter 1.0.1, or for that matter to drop the dependency entirely and rely on String.prototype.trim).

@andrushkin2
Copy link
Author

andrushkin2 commented Oct 9, 2022

Thanks for the quick feedback.
Looks like I chose wrong package( Then the vulnerability is in v0.0.3 of https://github.com/Trott/trim

@andrushkin2
Copy link
Author

andrushkin2 commented Oct 9, 2022

@Trott is there a way to add a pacth for v0.0.3? I'll send a pull request if need it.
StoryBook and some other libs use v0.0.3 of the trim lib. I think the libs cannot be upgraded to the latest trim version because of breaking changes so the fastest way here is to make a patch (v0.0.4) and update package-lock to the new version.

@Trott
Copy link

Trott commented Oct 9, 2022

What makes you say it's using 0.0.3? https://github.com/storybookjs/storybook/blob/c745ff687e0dd445e0b9b4b908c1dfe75b3bfa3a/code/yarn.lock says 0.0.1.

"trim@npm:0.0.1":
  version: 0.0.1
  resolution: "trim@npm:0.0.1"
  checksum: d974971fc8b8629d13286f20ec6ccc48f480494ca9df358d452beb1fd7eea1b802be41cc7ee157be4abbdf1b3ca79cc6d04c34b14a7026037d437e8de9dacecb
  languageName: node
  linkType: hard

And 0.0.3 is not vulnerable to ReDoS while 0.0.1 is.

I don't know if GitHub permits pull requests against tags, but if you wanted to open a pull request against 0.0.3, I suppose you could try to open a request against https://github.com/Trott/trim/tree/v0.0.3. Not sure GitHub allows that though. If not, I could create a v0.x branch and then you could open it against that.

But I'm not convinced there's an issue to patch in 0.0.3....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@andrushkin2 @Trott