Known vulnerabilities in 3rd-party dependency chart.js
magicHatOfTYPO3 opened this issue · comments
magicHatOfTYPO3 commented
Hi. We have received a PenTest result which complains about using a vulnerable version of charts.js as dependency from luxletter.
As far I can see the chart.js from Luxletter is vulnerable against a Prototype Pollution Attack, see https://security.snyk.io/package/npm/chart.js/2.7.1
Is there any chance to use a current version of chart.js or at least a minor update to a version with no known security issues?
Or: is it possible to deactivate the chart.js support completely (with then no charts in the backend, of course)?
Alexander Kellner commented
Merged. Will be release asap.
magicHatOfTYPO3 commented
Thanks a lot :)