Community

Luxon Inefficient Regular Expression Complexity vulnerability

1342
7
Jump to solution
01-18-2023 04:37 PM
FabianHanggi
by
New Contributor II
‎01-18-2023 04:37 PM

Hello

I'm getting an error  today in my pipeline that runs npm audit -prod

luxon 2.0.0 - 2.5.1
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix --force`
Will install @ArcGIS/core@4.25.5, which is outside the stated dependency range
node_modules/luxon
@ArcGIS/core 4.21.0-next.20210721 - 4.25.0-next.20221108
Depends on vulnerable versions of luxon
node_modules/@arcgis/core

All version of ArcGis are using luxon versions that have this vulnerability. In git hub for luxon it says to update to newer versions

https://github.com/advisories/GHSA-3xq5-wjfh-ppjc

Is ArcGis going to release an update soon? if not i cannot release my app since i'm not allowed to deploy high severity vulnerabilities.
Is there a work around while you work on an upgrade?

Thank you

Fabian

1 Solution

Accepted Solutions
FabianHanggi
by
New Contributor II
‎01-27-2023 03:59 PM

Response from ESRI support

 

Hello Fabian,

I did receive a response from Esri inc. and this issue has already been resolved in the next release. When the next release comes out you will just need to upgrade. The next release has been updated to 3.2.1.

The next release of the JavaScript SDK is scheduled for late February or early march of 2023.

Let me know if you have any further questions.


Thank you,
Victor C.
Esri Canada

View solution in original post

0 Kudos
7 Replies
Stacy-Rendall
by
New Contributor III
‎01-19-2023 01:45 PM

Also encountering this issue

0 Kudos
by Anonymous User
Not applicable
‎01-27-2023 07:50 AM

Same issue here.

0 Kudos
René_Ténière
by
Occasional Contributor
‎01-27-2023 10:23 AM

Any traction on this from esri yet?

0 Kudos
by Anonymous User
Not applicable
‎01-31-2023 02:18 PM

4.26 does not depend on version(s) of the Luxon module affected by CVE-2023-22467.

You can validate this by installing the 4.26 release using the following command:

 npm install @ArcGIS/core@next

0 Kudos
René_Ténière
by
Occasional Contributor
‎02-01-2023 06:19 AM

I am still in development so I will wait for the official release.

0 Kudos
FabianHanggi
by
New Contributor II
‎01-27-2023 03:59 PM

Response from ESRI support

 

Hello Fabian,

I did receive a response from Esri inc. and this issue has already been resolved in the next release. When the next release comes out you will just need to upgrade. The next release has been updated to 3.2.1.

The next release of the JavaScript SDK is scheduled for late February or early march of 2023.

Let me know if you have any further questions.


Thank you,
Victor C.
Esri Canada

0 Kudos
FabianHanggi
by
New Contributor II
‎03-14-2023 03:09 PM

Just installed 4.26.5. This issue has been resolved

0 Kudos