Security issue with old version of Diff dependency

[robseaman]

I received a security issue from github last night on my repo which uses documentation:

WS-2018-0590 More information
high severity
Vulnerable versions: < 3.5.0
Patched version: 3.5.0
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

The more info points to this fix done for v3.5.0
kpdecker/jsdiff@2aec429

The root cause seems to be documentation's dependency on disparity which is using a very old version of diff. I posted the issue on disparity but noticed it hasn't been updated in years. I'm posting the issue here as well so you could track and take appropriate actions. Here's the link to the issue I posted: millermedeiros/disparity#3

[tmcw]

When disparity releases a bump it'll be automatically included by semver unless they decide to create a major version bump.

To anyone tuning in, this is not an exploitable vulnerability. With the way that most folks use documentation.js, the security theater is just not really relevant: this isn't a module people use in servers or run on untrusted input.

[sbrl]

@tmcw Not sure I get it. Are you saying that because disparity specifies ^1.3.2, it needs to bump this to at least ^3.0.0?

Not sure it's going to happen, tbh - the last release from disparity is 4 years ago,a nd the author doesn't appear to be active on GH.

Is there a more up-to-date package that does the same thing?

[tmcw]

Yes, disparity would release a new version that bumps their diff dependency, and documentation.js would be updated to the new diff dependency.

If you desire this sooner, or want to find a replacement for disparity, please go for it. This form of GitHub's security reminder is severely unhelpful because it's raising an alarm about nothing: there is absolutely no way to exploit documentation.js based on this vulnerability, and all that GitHub is doing is creating box-checking gruntwork for maintainers by labeling most vulnerabilities as 'high severity'.

[sbrl]

Very true. The notification doesn't take the context that it's used into account.

Currently this isn't really on my priority list for now, but its showing up as a persistent notification on my package powahroot (which uses documentation).

Who knows, I might eventually get around to it if I get annoyed by it enough - but for the foreseeable future I've got quite a lot on at the moment :P

[ben-turner]

This is fixed with #1264

[tmcw]

And released in 12.0.2. Thanks Ben!