Skip to content

fix: upgrade uglify-js to address CVE-2015-8858 ReDoS vulnerability#25

Draft
galanko wants to merge 1 commit into
masterfrom
opensec/fix/cve-2015-8858-uglify-js
Draft

fix: upgrade uglify-js to address CVE-2015-8858 ReDoS vulnerability#25
galanko wants to merge 1 commit into
masterfrom
opensec/fix/cve-2015-8858-uglify-js

Conversation

@galanko

@galanko galanko commented May 15, 2026

Copy link
Copy Markdown

Summary

Automated remediation for CVE-2015-8858 in uglify-js package. Upgraded uglify-js from 2.4.24 to 2.8.29 to address regular expression denial of service (ReDoS) vulnerability.

Changes

  • Added uglify-js ^2.8.29 to devDependencies in package.json to override the transitive dependency coming from swig@1.4.2
  • Updated package-lock.json to reflect the new version constraint
  • The top-level uglify-js version now takes precedence over the nested swig dependency

Vulnerability Details

  • CVE: CVE-2015-8858
  • Severity: MEDIUM (CVSS 5.3)
  • Vulnerability Type: Regular Expression Denial of Service (ReDoS)
  • Impact: Attackers can cause denial of service (CPU consumption) via crafted input in a parse call
  • Fix: Upgrade uglify-js from <2.6.0 to 2.6.0+

Testing

  • Existing test suite passes without modifications
  • No runtime errors or parsing failures observed
  • Parser functionality remains intact with existing test cases

Generated by OpenSec remediation agent

…rability

- Added uglify-js ^2.8.29 to devDependencies to override transitive dependency
- Resolves ReDoS (regular expression denial of service) vulnerability in parser
- Semantic versioning safe: 2.4.24 → 2.8.29 is a minor version bump
- No breaking changes expected in application functionality
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant