getsentry
ansi-regex - Regular Expression Denial of Service (ReDoS)
Is there an existing issue for this?
- [X] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- [X] I have reviewed the documentation https://docs.sentry.io/
- [X] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Sentry Saas (sentry.io)
Which package are you using?
@sentry/nextjs
SDK Version
7.6.0
Framework Version
next.js - 12.2
Link to Sentry event
No response
Steps to Reproduce
- Install @sentry/[email protected]
- Use some stuff to check sec. issues
- Read issue description https://security.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908
@sentry/[email protected] › @sentry/[email protected] › @sentry/[email protected] › [email protected] › [email protected] › [email protected] › [email protected]
Expected Result
Zero errors in security checks
Actual Result
Error in security checks
Hi @Shramkoweb and thanks for reporting! Chatted about this with the team and the best way to fix this would be to bump Sentry CLI to v2 in the Webpack plugin. Unfortunately, we can't do this right now because it would require us to drop support for node versions <12. We're looking into ways of fixing this in a Sentry CLI v1 patch.
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @CompeyDev we're currently trying to bump the Sentry webpack plugin to use v2 of Sentry CLI. This should fix the issue. Btw, this issue is a duplicate of #5109
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
Hi @CompeyDev not yet entirely. Our plan to resolve this is as follows:
- [x] Downgrade Sentry CLI v2 minimum Node version requirement to Node 10 (we're going to drop Node 8 support in the SDKs with the new major). Sentry CLI v2 doesn't require the compromised ansii-regex version anymore.
- [x] Upgrade to CLI v2 in the sentry-javascript-bundler-plugins
- see https://github.com/getsentry/sentry-javascript-bundler-plugins/pull/153
- [ ] Bump webpack plugin v1 to v2 where we replace it with our new bundler plugin for webpack (based on unplugin)
@feldman22 yes, CLI was bumped to v2 in the new bundler plugins (https://github.com/getsentry/sentry-javascript-bundler-plugins/pull/153). We'll soon (famous last words, lol) replace the webpack plugin, so you'll be able to upgrade to that version once it is out. No exact ETA, though unfortunately :(
Regardless, I think the risk of this vulnerability is very very low all together (which however doesn't mean that we don't take it seriously, for the record).
This issue has gone three weeks without activity. In another week, I will close it.
But! If you comment or otherwise update it, I will reset the clock, and if you label it Status: Backlog or Status: In Progress, I will leave it alone ... forever!
"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀
Hello,
we have just released v1.75.0 of @sentry/cli, which should hopefully fix this issue.
You should be able to get this fix by removing the @sentry/cli entry from your lockfile, and running yarn or npm install again.
