Ant Design (antd) has released version 0.9.1, a minor update following the 0.9.0 release. Both versions offer a UI design language and React-based components, providing developers with a suite of tools for building web applications. Examining the dependency updates, version 0.9.1 sees rc-menu updated from ~4.4.2 to ~4.6.0 and rc-steps from ~1.2.3 to ~1.3.2. The rc-tooltip package is updated from ~2.6.4 to ~2.8.0 and rc-upload moves from ~1.4.0 to ~1.6.4 while enter-animation is updated from ~0.4.9 to ~0.5.0. These changes likely include bug fixes, performance improvements, and potentially new features within those specific components. In the devDependencies section, react-router is updated from version 1.0.0-beta3 to 1.0.0-rc1, and also autoprefixer-loader moves from ^2.0.0 to ^3.1.0. Developers already using antd should consider upgrading to 0.9.1 to benefit from these incremental improvements. For new adopters, either version provides a solid foundation, though starting with 0.9.1 ensures you are working with the latest refinements and bug fixes within the core components and development tools. Both versions share a common set of core dependencies and development tooling. Choosing the latest ensures access to recent features or fixes within components like menus, steps and tooltips.
All the vulnerabilities related to the version 0.9.1 of the package
superagent vulnerable to zip bomb attacks
Affected versions of superagent do not check the post-decompression size of ZIP compressed HTTP responses prior to decompressing. This results in the package being vulnerable to a ZIP bomb attack, where an extremely small ZIP file becomes many orders of magnitude larger when decompressed.
This may result in unrestrained CPU/Memory/Disk consumption, causing a denial of service condition.
Update to version 3.7.0 or later.
Prototype Pollution Protection Bypass in qs
Affected version of qs are vulnerable to Prototype Pollution because it is possible to bypass the protection. The qs.parse function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing [ or ] may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.
Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
qs vulnerable to Prototype Pollution
qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4.
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Update to version 2.0.3 or later.
Prototype Pollution in extend
Versions of extend prior to 3.0.2 (for 3.x) and 2.0.2 (for 2.x) are vulnerable to Prototype Pollution. The extend() function allows attackers to modify the prototype of Object causing the addition or modification of an existing property that will exist on all objects.
If you're using extend 3.x upgrade to 3.0.2 or later.
If you're using extend 2.x upgrade to 2.0.2 or later.
cookiejar Regular Expression Denial of Service via Cookie.parse function
Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the Cookie.parse function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.
Proof of concept:
ts\nconst { CookieJar } = require("cookiejar");
const jar = new CookieJar();
const start = performance.now();
const attack = "a" + "t".repeat(50_000);
jar.setCookie(attack);
console.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);
CookieJar.setCookie(): 2963.214399999939ms