What does Regular expression denial of service when using npm mean?

Question

I am new to programming and everyone keeps mentioning how it is problem specific but I wanted to know when using npm audit does the denial of service mean its not able to communicate with the git repository?

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/chokidar/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    live-server  >=1.2.0
    Depends on vulnerable versions of chokidar
    node_modules/live-server

3 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Answer 1

What you're seeing is an alert coming from NPM that reports that one of the packages your project is using, glob-parent, had a vulnerability before version 5.1.2. Specifically, someone could theoretically do:

var globParent = require("glob-parent")
function build_attack(n) {
var ret = "{"
for (var i = 0; i < n; i++) {
ret += "/"
}

return ret;
}

globParent(build_attack(5000));

or create some other deliberately malformed string for globParent to parse, which would result in your system hanging due to a regular expression that glob-parent is using.

If you upgrade to a more recent version of glob-parent (which you can do with npm audit fix), you will no longer be vulnerable to this attack

does the denial of service mean its not able to communicate with the git repository?

No, it means that a bad actor could theoretically leverage glob-parent to deny resources to your system (until you killed the process). It doesn't mean that such a thing is actually taking place, just that the old versions of glob-parent were vulnerable to such a thing.