Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.
Per , These were reported by GitHub's vulnerability scan, and GitHub is no longer showing the vulnerabilities. So, closing this as non-reproducible.
Sobha Duvvuri June 24, 2019 at 2:33 PM
Edited
Waiting on response from to understand if this still needs to be tackled.
Observations are as follows: 1. We cannot see these security vulnerabilities either in github or in sonarcloud 2. These are inner dependencies of dependencies and when looked in the yarn.lock file, looks like these libraries are being resolved to the correct versions - the ones without the security issues; which is why we want to confirm if these still need to be fixed. 3. Modifying the yarn.lock file directly might not make sense since its possible that it gets regenerated automatically.
Peter Murray June 5, 2019 at 6:11 PM
: Could you add these to the team's backlog, please?
1 webpack-bundle-analyzer vulnerability found in yarn.lock 5 days ago
Remediation
Upgrade webpack-bundle-analyzer to version 3.3.2 or later. For example:
webpack-bundle-analyzer@^3.3.2: version "3.3.2"
Always verify the validity and compatibility of suggestions with your codebase.
Details
WS-2019-0058: More information
moderate severity
*Vulnerable versions:* < 3.3.2
*Patched version:* 3.3.2
Versions of webpack-bundle-analyzer prior to 3.3.2 are vulnerable to Cross-Site Scripting. The package uses JSON.stringify() without properly escaping input which may lead to Cross-Site Scripting.