Security Advisory 1753 - Regular Expression Denial of Service

[fernandobelong]

This advisory has appeared when running npm audit on a project with version 0.3.7 of npm-scripts-info:

URL: https://npmjs.com/advisories/1753

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.1 <4.0.0 || >=4.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-scripts-info [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm-scripts-info > meow > trim-newlines                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1753                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[AlaricM]

You just have to upgrade meow to the latest to fix this. I just checked and your tests are all passing with meow 10.1.1

[loicraux]

💯

[loicraux]

Just remove npm-scripts-info from your dev deps and write your own script to print the infos.

A piece of code like this just does the job :

import chalk from 'chalk';

import * as packageJson from '../package.json';

const scriptsInfosPackageJsonKey = 'scripts-info';

const scriptsInfos = packageJson[scriptsInfosPackageJsonKey];

Object.entries(scriptsInfos).forEach(([script, description]) => {
    console.log(`${chalk.blue(script)}:`);
    console.log(`  ${chalk.green(description)}`);
});