earcut.deviation suffers a DoS issue with a non-positive number as the dimensions argument

[zyscoder]

Version

node v22.11.0 npm 10.9.0

Platform

Linux u24vm 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

What steps will reproduce the bug?

2. Try to install the package: earcut

a. npm init -y
b. npm shrinkwrap
c. npm install --save earcut
d. npm audit fix

the final package.json is as follows:

{
  "name": "package-20ebb384b44e585050fe6df34ec25183",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "dependencies": {
    "earcut": "^3.0.0"
  }
}

2. Setup a node instance,

node

3. and run the following javascript code.

var lib = await import('earcut');
var result = lib.deviation([0], [], 0, []);

Then the node instance will hang and no response returned.

 » node                                                                                                                                          
Welcome to Node.js v22.11.0.
Type ".help" for more information.
> var lib = await import('earcut');
undefined
> var result = lib.deviation([0], [], 0, []);;

(the node server hanged here)
...

How often does it reproduce? Is there a required condition?

This issue can always be triggered following the steps above.

What is the expected behavior? Why is that the expected behavior?

check if the dimensions argument fit the requirement to avoid the DoS problem.