-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Closed
Labels
complexity: easyEasy complexityEasy complexitycontribution welcomeContributions welcomeContributions welcomegood first issueGood for newcomersGood for newcomerspriority: mediumMedium priority issueMedium priority issue
Description
- I confirm that this is an issue rather than a question.
Bug report
Steps to reproduce
What is expected?
js-yaml should be version higher than 1.13.1
What is actually happening?
it is not and it is a security vulnerability.
nodeca/js-yaml#475
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
nodeca/js-yaml#480
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
"js-yaml": "^3.11.0", |
Other relevant information
- found this from Github's automatic security report on a project that has a dependency that has a dependency that has a dependency that uses vuepress...
Metadata
Metadata
Assignees
Labels
complexity: easyEasy complexityEasy complexitycontribution welcomeContributions welcomeContributions welcomegood first issueGood for newcomersGood for newcomerspriority: mediumMedium priority issueMedium priority issue