trim-safe 1.0.0 → 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +13 -0
- package/package.json +3 -2
- package/scripts/migrate-check.js +47 -0
package/README.md
CHANGED
|
@@ -16,6 +16,19 @@ The package contains **CVE-2020-7753** — a ReDoS vulnerability in the regex `/
|
|
|
16
16
|
npm install trim-safe
|
|
17
17
|
```
|
|
18
18
|
|
|
19
|
+
When installed into a project, `trim-safe` automatically checks your dependency tree. If it finds the vulnerable `trim` package, it prints a migration prompt:
|
|
20
|
+
|
|
21
|
+
```
|
|
22
|
+
⚠ VULNERABLE: trim (CVE-2020-7753) found in dependency tree
|
|
23
|
+
3 packages still depend on the vulnerable trim package.
|
|
24
|
+
|
|
25
|
+
Migrate:
|
|
26
|
+
npm install trim-safe
|
|
27
|
+
# in your code: require('trim-safe') instead of require('trim')
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
No extra setup needed.
|
|
31
|
+
|
|
19
32
|
## Usage
|
|
20
33
|
|
|
21
34
|
```js
|
package/package.json
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "trim-safe",
|
|
3
|
-
"version": "1.0.
|
|
3
|
+
"version": "1.0.1",
|
|
4
4
|
"description": "Safe, drop-in replacement for the abandoned trim package. Fixed ReDoS vulnerability (CVE-2020-7753).",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|
|
7
|
-
"test": "node test.js"
|
|
7
|
+
"test": "node test.js",
|
|
8
|
+
"postinstall": "node scripts/migrate-check.js"
|
|
8
9
|
},
|
|
9
10
|
"keywords": [
|
|
10
11
|
"trim",
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
#!/usr/bin/env node
|
|
2
|
+
|
|
3
|
+
var execSync = require('child_process').execSync;
|
|
4
|
+
|
|
5
|
+
function log(msg) { console.log(msg); }
|
|
6
|
+
function red(s) { return '\x1b[31m' + s + '\x1b[0m'; }
|
|
7
|
+
function green(s) { return '\x1b[32m' + s + '\x1b[0m'; }
|
|
8
|
+
function yellow(s){ return '\x1b[33m' + s + '\x1b[0m'; }
|
|
9
|
+
function cyan(s) { return '\x1b[36m' + s + '\x1b[0m'; }
|
|
10
|
+
|
|
11
|
+
try {
|
|
12
|
+
var out = execSync('npm ls trim --all --parseable 2>/dev/null', { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] });
|
|
13
|
+
var lines = out.trim().split('\n').filter(Boolean);
|
|
14
|
+
|
|
15
|
+
if (lines.length === 0) {
|
|
16
|
+
log('\n ' + green('\u2713') + ' trim-safe OK — no vulnerable trim found in your dependency tree.');
|
|
17
|
+
return;
|
|
18
|
+
}
|
|
19
|
+
|
|
20
|
+
log('\n ' + red('\u26A0') + ' ' + red('VULNERABLE: trim (CVE-2020-7753) found in dependency tree'));
|
|
21
|
+
log(' ' + lines.length + ' package' + (lines.length === 1 ? '' : 's') + ' still depend on the vulnerable trim package.\n');
|
|
22
|
+
|
|
23
|
+
var unique = {};
|
|
24
|
+
lines.forEach(function(l) {
|
|
25
|
+
var parts = l.split('node_modules/');
|
|
26
|
+
var pkg = parts[parts.length - 1];
|
|
27
|
+
if (pkg && pkg !== 'trim') unique[pkg] = true;
|
|
28
|
+
});
|
|
29
|
+
var names = Object.keys(unique).filter(Boolean);
|
|
30
|
+
|
|
31
|
+
if (names.length > 0 && names.length <= 20) {
|
|
32
|
+
log(' Direct dependents: ' + names.join(', '));
|
|
33
|
+
log('');
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
log(' ' + cyan('Migrate:'));
|
|
37
|
+
log(' npm install trim-safe');
|
|
38
|
+
log(' # in your code: require(\'trim-safe\') instead of require(\'trim\')');
|
|
39
|
+
log('');
|
|
40
|
+
} catch (e) {
|
|
41
|
+
try {
|
|
42
|
+
var out2 = execSync('npm ls trim 2>/dev/null', { encoding: 'utf8' });
|
|
43
|
+
if (out2 && out2.includes('trim@')) {
|
|
44
|
+
log(yellow('\n trim found in dependency tree — run "npm install trim-safe" to migrate.\n'));
|
|
45
|
+
}
|
|
46
|
+
} catch (e2) {}
|
|
47
|
+
}
|