[Bug]: Medium Severity vulnerability on color-string-1.5.3.tgz

[biswajit-ibm]

🔎 Search Terms

color-string-1.5.3

The problem

Vulnerable Library - color-string-1.5.3.tgz
Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

winston-3.6.0.tgz (Root Library)
diagnostics-2.0.2.tgz
colorspace-1.1.2.tgz
color-3.0.0.tgz
❌ color-string-1.5.3.tgz (Vulnerable Library)

Vulnerability Details
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.

What version of Winston presents the issue?

v3.6.0

What version of Node are you using?

v.12

If this worked in a previous version of Winston, which was it?

No response

Minimum Working Example

No response

Additional information

No response

[wbt]

Thanks for the report!
As an FYI for the future, that is not the library homepage as labeled and a link to the posted vulnerability is helpful.
This appears to have been fixed in color-string 1.5.5.
The second line of your dependency tree is different than what I'm seeing and the switch to using a fork of the diagnostics package was in Winston as of 3.3.2 a couple years ago. I don't know why you're seeing something different.