Update npm packages

[lfatty]

Regular Expression Denial of Service

High severity
Vulnerable module: minimatch
Detailed paths

Introduced through: retirement@cfpb/retirement#ebcfc7198ec2a9d390ea7f884a931f25dffe1646 ›
[email protected] › [email protected] › [email protected] › [email protected]
Introduced through: retirement@cfpb/retirement#ebcfc7198ec2a9d390ea7f884a931f25dffe1646 ›

minimatch is a minimalistic matching library used for converting glob expressions into JavaScript RegExp objects.

An attacker can provide a long value to the minimatch function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time."

[higs4281]

This has been raised as a broader issue with the platform team.

[sebworks]

@lfatty, what tool was used to find this vulnerability?

[lfatty]

@sebworks, https://snyk.io/ was used to testing the dependencies.

[ascott1]

@sebworks installing snyk globally and running snyk wizard should apply patches for all of the impacted dependencies

[sebworks]

ok, just thought he might have been using an alternative tool. Thanks all.