npm-scripts-info
npm-scripts-info copied to clipboard
srph
Security Advisory 1753 - Regular Expression Denial of Service
This advisory has appeared when running npm audit on a project with version 0.3.7 of npm-scripts-info:
URL: https://npmjs.com/advisories/1753
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ trim-newlines │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.1 <4.0.0 || >=4.0.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-scripts-info [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ npm-scripts-info > meow > trim-newlines │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1753 │
└───────────────┴──────────────────────────────────────────────────────────────┘
You just have to upgrade meow to the latest to fix this. I just checked and your tests are all passing with meow 10.1.1
Just remove npm-scripts-info from your dev deps and write your own script to print the infos.
A piece of code like this just does the job :
import chalk from 'chalk';
import * as packageJson from '../package.json';
const scriptsInfosPackageJsonKey = 'scripts-info';
const scriptsInfos = packageJson[scriptsInfosPackageJsonKey];
Object.entries(scriptsInfos).forEach(([script, description]) => {
console.log(`${chalk.blue(script)}:`);
console.log(` ${chalk.green(description)}`);
});