url-parse critical security patch

Question

url-parse critical security patch

r4d opened this issue a year ago · comments

ryan commented a year ago

url-parse security advisory update: GHSA-hgjh-723h-mx2j

Update url-parse > v1.5.8

Andrey · Answer 1 · Tue Jan 17 2023 20:17:37 GMT+0800 (China Standard Time)

Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

AndyDudleyAdvanced · Answer 2 · Thu Sep 14 2023 18:36:59 GMT+0800 (China Standard Time)

Hi,

Is there any reason why the reference to url-parse hasn't been updated to the patched version? (1.5.9)

Colin Casey · Answer 3 · Tue Sep 19 2023 01:02:58 GMT+0800 (China Standard Time)

@AndyDudleyAdvanced when you npm install tough-cookie it should resolve the url-parse dependency to version 1.5.10 since the range declared in package.json is ^1.5.3.

Colin Casey · Answer 4 · Fri Oct 06 2023 01:26:41 GMT+0800 (China Standard Time)

Closing this issue since the version of url-parse resolved when installing tough-cookie is not affected by GHSA-hgjh-723h-mx2j (see the comment above).