[UINOTES-35] Fix security vulnerability reported for js-yaml < 3.13.1 Created: 06/Jun/19 Updated: 24/Jun/19 Resolved: 24/Jun/19 |
|
| Status: | Closed |
| Project: | ui-notes |
| Components: | None |
| Affects versions: | None |
| Fix versions: | 1.2.0 |
| Type: | Bug | Priority: | TBD |
| Reporter: | Peter Murray | Assignee: | Sobha Duvvuri |
| Resolution: | Cannot Reproduce | Votes: | 0 |
| Labels: | epam-spitfire, front-end, security, ui-only | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||||||
| Sprint: | eHoldings Sprint 66 | ||||||||||||||||
| Development Team: | Spitfire | ||||||||||||||||
| Description |
RemediationUpgrade js-yaml to version 3.13.1 or later. js-yaml@^3.13.1:
version "3.13.1"
Always verify the validity and compatibility of suggestions with your codebase. DetailsWS-2019-0063 Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. |
| Comments |
| Comment by Zak Burke [ 13/Jun/19 ] |
|
I think this was a transitive dependency that appears to have been resolved automatically somewhere down the dep tree. Agreed, Igor Godlevskyi? |
| Comment by Sobha Duvvuri [ 24/Jun/19 ] |
|
Waiting on response from Peter Murray to understand if this still needs to be tackled. Observations are as follows: |
| Comment by Sobha Duvvuri [ 24/Jun/19 ] |
|
Per Peter Murray, These were reported by GitHub's vulnerability scan, and GitHub is no longer showing the vulnerabilities. So, closing this as non-reproducible. |