[Security Issues Collection] Security Findings Fixing
terryatgithub opened this issue · comments
hi @adamstep , the App we are building based on Hyperview is going to go live in recent months and our security team reported some high-severity issues that must be fixed before formal release.
it's noticed that the dependencies are all hardcoded to a fixed version, so it needs your help to assess if it's feasible to upgrade them.
"dependencies": {
"tiny-emitter": "2.1.0",
- "url-parse": "1.4.3", // vulnerable issues as described in [CVE-2022-0686](https://nvd.nist.gov/vuln/detail/CVE-2022-0686)
+ "url-parse": "1.5.9", // need upgrade to 1.5.9 or later
- "xmldom-instawork": "0.0.1" // vulnerable issues as described in #520 #527, [CVE-2022-39353](https://nvd.nist.gov/vuln/detail/CVE-2022-39353)
+ "xmldom-instawork": "0.0.1" // need to upgrade to such as @xmldom/xmldom@~0.8.4
},
Any response or potential plan would be appreciated, as this would allow us to discuss with our security team and make arrangements accordingly.
Thank you in advance and wish you all the best.
Hi @terryatgithub , I think it is safe to update url-parse
. I checked that the API is unchanged, and we can QA the updated dependency. Do you want to submit a PR with this change?
Regarding xmldom
library: my team will have to take a look at this. A while ago, we needed to fork the xmldom
library to fix a parsing bug that caused the library to crash on certain valid inputs. It could be that the change was applied upstream already. But if not, we may need to pull down the latest version of xmldom into our fork. We will keep you posted.
We have actually started exploring updating xmldom in this PR: #527
Linking to issue #520
@terryatgithub 0.66.1-rc.0
is available on npm with a patched version of xmldom
. Note that I'm publishing this as a release candidate: we plan to QA this version extensively with the Instawork apps to make sure there are no regressions with the changes to the parsing library. I recommend you also test your apps with this release candidate before we make a full release.