Regular Expression Denial of Service (ReDoS)

[tomhsiao1260]

Yesterday there was a new npm report on dat.gui, which states that dat.gui would result in a severity vulnerability (would get a warning message after using "npm i dat.gui" command). Can anyone explain more about this warning?

https://www.npmjs.com/advisories/1701

[tomhsiao1260]

Oh, I found that someone has already sent a PR #279 (7 months ago). Hope it can be merged as soon as possible to remove this severity vulnerability warning.

[jmariller]

Hi,

I am still getting a high severity vulnerability with dat.gui:

Even though version 0.7.7 is installed for my project - any ideas why? Looking into interpret.js it seems like the latest patches were not actually applied, can that be?

Many thanks

[jmariller]

@tomhsiao1260 could you possibly re-open this issue?

[tomhsiao1260]

Seems that this project is no longer maintained by its owner. Though this issue has already fixed in this GitHub repo, the npm version (published a year ago ...) is still not updated. It is worth mentioning that Mr.doob (three.js project owner) also tried to access the dat.gui npm package 3 months ago in order to fix this vulnerability. But it seems that there is no further progress.

However, in my opinion, ReDos attack is harmless when developing a frontend-only projects. So if you still want to use this tool without showing the severity vulnerability, you can use them locally like what I did in this project.

[jmariller]

Thank you @tomhsiao1260 for the clarification and for having reopened the issue!

[nyan-left]

do we have any updates on this? :)

[ugogon]

Yes, can we at least bump the current git master to version 0.7.8 so we do not get the warning if we add
"dat.gui": "git+https://github.com/dataarts/dat.gui.git", to our package.json dependencies.

[tomhsiao1260]

Finally, someone tried an alternative to dat.gui 🙌

lil-gui: https://github.com/georgealways/lil-gui
related issue: mrdoob/three.js#22765

[mrdoob]

0.7.8 is now on npm with the fix.
But yes, please migrate to lil-gui if you can 🙏