ReDoS Vulnerability

[neil-gok]

• This is a bug
• This is a modification request

For Bugs; How can we reproduce the behavior?

This is a vulnerability in ansi-html, which this package depends on. To repro, you can use the command below as described Tjatse/ansi-html#19.

require('ansi-html')('\x1b[0m\x1b[' + '0'.repeat(35))

Are there any plans to replace/remove this package, with a more active project? The library maintainers have been made aware of this change, but it does not look like it is being maintained. This is preventing us from moving our source code to Production, as ansi-html is being flagged.

[alexander-akait]

Please open an issue in ansi-html in rc we use the latest version

[neil-gok]

A ticket has been open for a while, but ansi-html is not being maintained. I'm asking if webpack will continue to use an unmaintained library which has a known vulnerability, or are there plans to replace it?

[alexander-akait]

We need replace ansi-html on something other, but there is not package for this (or I can't find it), so let's wait fix in ansi-html repo

[wenxinmao]

having the same vulnerability.

[SymbioticKilla]

@alexander-akait 5 years no activity. I don't think that there is a good chance that it will be fixed...

[alexander-akait]

We can move logic inside our dev server and fix it, feel free to send a PR

[SymbioticKilla]

@alexander-akait I would love to but I don't have skills in this area :( I understand that the vulnerability is not important but strict compliance rules in the companies are pain in the ...

[alexander-akait]

Just copy necessary function and refactor them, it should be not hard

[ylemkimon]

Another way would be to use generateAnsiHTML from CRA react-error-overlay (https://github.com/facebook/create-react-app/blob/main/packages/react-error-overlay/src/utils/generateAnsiHTML.js). It's MIT-licensed, so it'd be compatible with the dev server.

[alexander-akait]

@ylemkimon feel free to send a PR, also I think it can be part of #3689 (we can improve our overlay in multiple PRs)

[ggarcia-ibm]

Issue Tjatse/ansi-html#19 was fixed in version 0.0.8. Any chance webpack-dev-server can pick this up?

[alexander-akait]

@garcia323 PR welcome

[SymbioticKilla]

@garcia323 There is no 0.0.8 version. I don't think that PR will be merged: Tjatse/ansi-html#20

[arborrow]

It looks like someone forked the project and created a 0.0.8 version that fixes the vulnerability at gebhardtr/ansi-html@7cb72a3 - so perhaps as per Tjatse/ansi-html#20 they might be able to update https://www.npmjs.com/package/ansi-html to point to the forked version and then folks here could bump the package.json to require 0.0.8 and above. Otherwise, folks here should probably find a way to move away from the abandoned and vulnerable package.

[carlobeltrame]

We can move logic inside our dev server and fix it, feel free to send a PR

I have opened PR #3798 as a proposal. It might be preferable to use the ansi-html-community package instead. Let me know what you think.

EDIT: Since the maintainers of webpack-dev-server didn't like the necessary Apache 2.0 License in their codebase next to the copied code, I have opened yet another PR #3801, which instead uses the new fork ansi-html-community.

[Buddhad]

I have faced the same problems how to resolve this error?

[carlobeltrame]

Just update webpack-dev-server to a more recent version. This has been fixed for a few months now.