Le dimanche 20 juillet 2025, 20:38:47 heure d’été d’Europe centrale Bastien Roucaries a écrit : Hi elbrus
> Le dimanche 20 juillet 2025, 14:51:06 heure d’été d’Europe centrale Paul > > Gevers a écrit : > > Control: tags -1 moreinfo > > > > Hi, > > > > On Sun, 20 Jul 2025 11:21:45 +0200 Bastien Roucaries <ro...@debian.org> > > > > wrote: > > > [ Reason ] > > > Affected by a ReDoS (outside upstream security support) but this block > > > autopkgtest for angular.js affected by about 10 CVEs > > > > Can you please explain why upstream declined your patch and why we > > should carry it? > > They explictly said that redos are not a security problem Upstream is willing to fix the problem but need a self contained test case https://github.com/jsdom/jsdom/pull/3896 Can we proceed to unblock when we try to get a self contained test case. rouca > > Are reverse dependencies using this package for use > > cases it wasn't intended for (and not supported upstream)? > > we use node-jsdom for testing angular.js and thus hit a redos in node-jsdom > before hiting the redos in angular.js > > jsdom is the gold standard for automated test of js. > > I have reported to security support of jsdom and we are trying to get the > patch merged as a improvement not a security support. > > > Please assume > > I know nearly nothing about the node ecosystem. > > > > Paul
signature.asc
Description: This is a digitally signed message part.
