react-modal-video icon indicating copy to clipboard operation
react-modal-video copied to clipboard
verified publisher icon appleple

Fix - Remove Outdated stringify Package Due to Security Vulnerability

Open FabioDiCeglie opened this issue 1 year ago • 4 comments

Description: The stringify package in our repository is outdated, not utilized, and poses a potential security risk due to an identified vulnerability. Specifically, the package is no longer in use and contains a known vulnerability, the "kangax html-minifier REDoS vulnerability". This vulnerability, discovered in kangax html-minifier 4.0.0, exposes our system to Regular Expression Denial of Service (ReDoS) attacks via the candidate variable in htmlminifier.js.

Considering that the package serves no active purpose in our codebase and presents a security concern, it's imperative to remove it from the repository to mitigate any potential risks.

Action Plan:

  1. Removal of the stringify Package:
    • We propose removing the stringify package from this repository entirely.
    • This action will not impact any existing functionality as the package is not in use.

FabioDiCeglie avatar May 14 '24 13:05 FabioDiCeglie

#98

FabioDiCeglie avatar May 14 '24 14:05 FabioDiCeglie

It's such a shame to have this error for dead code. I had to spend time going back and analyzing the issue to understand.

Removing the dependency as soon as possible would save human time.

Rayanikhenache avatar May 15 '24 13:05 Rayanikhenache

@1000-x-t30 you gonna release this?

FabioDiCeglie avatar May 20 '24 17:05 FabioDiCeglie

@FabioDiCeglie sorry. Released today!

1000-x-t30 avatar May 21 '24 01:05 1000-x-t30