CVE-2020-7608

Question

CVE-2020-7608

Hyperkid123 opened this issue a year ago · comments

The package showdown has an old yargs-parser dependency with this critical security vulnerability. Can we update the dependencies to remove it?

Dana Gutride · Answer 1 · Fri Oct 27 2023 02:23:13 GMT+0800 (China Standard Time)

This one is important for us, too - @jessiehuff

Joachim Schuler · Answer 2 · Tue Oct 31 2023 02:49:12 GMT+0800 (China Standard Time)

If you're still on PF4:
https://www.npmjs.com/package/@patternfly/quickstarts/v/2.4.3

If you're on PF5:
https://www.npmjs.com/package/@patternfly/quickstarts/v/5.1.0

In either case, showdown is no longer declared a dependency, it continue to remain a peer dependency though.
So in your own project, make sure that showdown is at 2.1.0 or greater.

i.e.
https://github.com/opendatahub-io/odh-dashboard/blob/main/frontend/package.json#L75
https://github.com/openshift/console/blob/master/frontend/package.json#L220
Could be updated