Can we bump sanitize-html dependency to address this CVE?

Question

Can we bump sanitize-html dependency to address this CVE?

gone-skiing opened this issue 3 years ago · comments

Eugene Krylov commented 3 years ago

GHSA-mjxr-4v3x-q3m4

Eugene Krylov · Answer 1 · Tue May 11 2021 05:45:10 GMT+0800 (China Standard Time)

I am happy to spin up a PR...

Eugene Krylov · Answer 2 · Thu May 13 2021 04:59:18 GMT+0800 (China Standard Time)

@codenirvana here is a PR to bump the dependency if your team has a minute...
#1183

Udit Vasu · Answer 3 · Thu Jun 24 2021 19:40:19 GMT+0800 (China Standard Time)

Fixed in v4.

Felix Deierlein · Answer 4 · Thu Jun 24 2021 20:01:31 GMT+0800 (China Standard Time)

@codenirvana: could you also create a patch for v3?
Not everyone will like to update to a new major version for a security fix.

Udit Vasu · Answer 5 · Thu Jun 24 2021 20:05:38 GMT+0800 (China Standard Time)

@delixfe Sure but can you also check the changelog to verify the breaking changes?

Felix Deierlein · Answer 6 · Thu Jun 24 2021 20:11:47 GMT+0800 (China Standard Time)

@codenirvana Actually, I think many of us would prefer not to have to check those. That was the reason I have asked :).
Now I did read them and I won't be affected by the breaking changes so I can easily upgrade to v4.