Bugzilla – Bug 989995
VUL-1: CVE-2016-1000023: nodejs: Regular expression denial-of-service
Last modified: 2017-03-17 15:43:17 UTC
bugbot adjusting priority
I've asked upstream for an update
answer from upstream (nodejs)
"Note that the impact of this in npm bundled with Node.js is negligible — that one is used only for package management, not as a library, and there is entirely no need for a malicious package to even bother with something like ReDOS."
So I guess we can just wait for an upstream update given this should have a lower priority, right?
(In reply to Jordi Massaguer from comment #3)
yes, it's already tagged as VUL-1, so we'll just include it into the next update
All current npm packages now have minimatch 3.0.3, which includes the fix for this bug.