Vulnerability in `url-regex` indirect dependency

[silverwind]

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ url-regex                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fomantic-ui                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ fomantic-ui > gulp-concat-css > rework-import > url-regex    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1550                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

All these dependencies look pretty unmaintained to me so I think the best course of action would be to look for alternatives to gulp-concat-css.

[PMudra]

Some additions:

• gulp-concat-css: 2 years ago
• rework-import: 5 years ago
• url-regex: a year ago

Upstream issue: kevva/url-regex#70

This issue is fixed in my maintained and modern version of this package at https://github.com/niftylettuce/url-regex-safe. You should be able to switch from url-regex to url-regex-safe now.

[ceisele-r]

Well this would mean that gulp-concat-css would have to depend on a forked rework-import package that depends on https://github.com/niftylettuce/url-regex-safe. Since they all seem to be unmaintained, none of them will probably switch to any other dependency meaning as @silverwind supposed the way to go is probably replacing gulp-concat-css.

[gilquintana]

One question: do you have an estimated date for the attencion of this issue?

[lubber-de]

One question: do you have an estimated date for the attencion of this issue?

Whenever somebody volunteers to maintain new packages or rewrite the dependency code to be directly included into the core

[phiberber]

One question: do you have an estimated date for the attention of this issue?

Whenever somebody volunteers to maintain new packages or rewrite the dependency code to be directly included in the core

There's a branch that can be used that uses the URL regex safe dependency. I can create a PR using it if you want me to.

https://github.com/Cj-bc/gulp-concat-css/tree/use_url-regex-safe_rework-import

[lubber-de]

There's a branch that can be used that uses the URL regex safe dependency. I can create a PR using it if you want me to.

https://github.com/Cj-bc/gulp-concat-css/tree/use_url-regex-safe_rework-import

Thanks, you are welcome to provide a proper PR.