Address DoT vulnerability

[jstoiko]

https://nodesecurity.io/advisories/798

1. assess whether this vulnerability may affect end-users of node-request-error-handler (and osprey)
2. find a fix

[wsolem]

Is there an update on this? All versions of doT have this security vulnerability, and the package hasn't been updated in two years, so it doesn't look like a fix in that package is coming soon. olado/doT#281

[jstoiko]

@postatum: can you please take a look?

[postatum]

@postatum: can you please take a look?

We only use dot.compile function and have about 2-3 use cases so I think we can rework node-request-error-handler without dot by just implementing version of dot.compile that fits our specific cases.

[Igua95]

Hi @postatum, do you have an ETA for this issue? We are also having this security threat on our codebase and we would appreciate having a fix in the following days. I'll stay tuned to this issue 👍

[jstoiko]

For the record, I don’t think this impacts us as there is no user input involved. This will be prioritized accordingly. I discussed this earlier with @wsolem, feel free to reach out if you need more details.

Btw, this has been a known caveat discussed way before the advisory: olado/doT#242 and it’s my understanding that this is a community-reported advisory (Hackerone) that is still open / unresolved only because the authors did not answer. Not to dismiss the importance of addressing those types of issues in general, but to put things in perspective.