[SPFx 1.22.1] - qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion #10551
Description
Target SharePoint environment
SharePoint Online
What SharePoint development model, framework, SDK or API is this about?
💥 SharePoint Framework
Developer environment
None
What browser(s) / client(s) have you tested
- 💥 Internet Explorer
- 💥 Microsoft Edge
- 💥 Google Chrome
- 💥 FireFox
- 💥 Safari
- mobile (iOS/iPadOS)
- mobile (Android)
- not applicable
- other (enter in the "Additional environment details" area below)
Additional environment details
No response
Describe the bug / error
The following vulnerability is affected by SPFx version 1.22.1 : GHSA-6rw7-vpxm-498p
Since this morning, we have identified 5 high-level vulnerabilities with the following audit results:
Severity: high
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix --force`
Will install @microsoft/spfx-heft-plugins@1.13.1, which is a breaking change
node_modules/qs
body-parser <=1.20.3 || 2.0.0-beta.1 - 2.0.2
Depends on vulnerable versions of qs
node_modules/body-parser
express 2.5.8 - 2.5.11 || 3.2.1 - 3.2.3 || 4.0.0-rc1 - 4.21.2 || 5.0.0-alpha.1 - 5.0.1
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
node_modules/express
@microsoft/spfx-heft-plugins >=1.14.0-beta.4
Depends on vulnerable versions of express
node_modules/@microsoft/spfx-heft-plugins
@microsoft/spfx-web-build-rig >=1.14.0-beta.4
Depends on vulnerable versions of @microsoft/spfx-heft-plugins
node_modules/@microsoft/spfx-web-build-rig
5 high severity vulnerabilities
Steps to reproduce
- Execute yo to generate new WebPart with 1.22.1 version of SPFx generator
- after install execute npm audit
Expected behavior
Update the dependencies that cause this vulnerability.