What are you trying to do?
Resolve a vulnerability with the path-to-regex library that is used in older versions of ant-design/pro-components/pro-layout, exposing the DOS vuln described here. This vuln requires a bump in the package version from 2.4.0 to at least 3.3.0. ant-designs/pro-components has already patched the issue in v2.7.19.
@plasmicpkgs/plasmic-rich-components still requires v2.6.4.
Is there a roadmap to when this dependency version will be bumped?
What are the reproduction steps?
Check out resources linked
Hi @noah_mc-graw
Thank you for reporting this issue. We will review it internally and provide an update accordingly.
Any updates on this @muhammad_asim?
1 Like
Hey @noah_mc-graw ,
Thanks for checking in on this. Due to the nature of the vulnerability, we don’t believe the vulnerable path-to-regexp package version can be exploited based on its usage in @ant-design/pro-layout (see Code search results · GitHub). Since there is non-trivial effort required to upgrade major versions, we have decided to put this in the backlog until we decide to do further work on the rich components.