High Severity Vulnerability Alert

[joarwilk]

CVE-2017-16116
high severity
Vulnerable versions: <= 3.3.3

The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

[marcus-hiles]

@joarwilk is this an answer or a question please?

[rendall]

@marcus-hiles Some of us who have projects with stringjs as a dependency have received a severe security alert from Github. Fortunately for me, this is only used in the build process of a website. But if stringjs is in a public-facing node project or used in website code, it is vulnerable to a DoS attack.

[aceAbdel]

is this project still under maintenance?
any other alternative?

[mkonikov]

Anyone else found a good alternative as it seems this it not a project in active development.

Just got GitHub notification as well.

[mkonikov]

Main discussion is here -> #212

Though no fix obviously.

[petershaw]

I switched to voca without any problems. Maybe it helps you too.

[throrin19]

@petershaw Voca seems great choice but it does not have the humanize function :(