Security: JS-yaml #1845

pmespresso · 2019-09-09T09:36:42Z

I confirm that this is an issue rather than a question.

Bug report

Steps to reproduce

What is expected?

js-yaml should be version higher than 1.13.1

What is actually happening?

it is not and it is a security vulnerability.

nodeca/js-yaml#475
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

nodeca/js-yaml#480
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

vuepress/packages/@vuepress/core/package.json

Line 49 in e5d8ed4

"js-yaml": "^3.11.0",

Other relevant information

found this from Github's automatic security report on a project that has a dependency that has a dependency that has a dependency that uses vuepress...

The text was updated successfully, but these errors were encountered:

kefranabg added complexity: easy Easy complexity contribution welcome Contributions welcome good first issue Good for newcomers priority: medium Medium priority issue labels Sep 9, 2019

pmespresso mentioned this issue Sep 9, 2019

fix: #1845 bump js-yaml #1846

Merged

18 tasks

flozero closed this as completed in 696717b Sep 9, 2019

snyk-bot mentioned this issue Apr 6, 2020

[Snyk] Upgrade vuepress from 1.1.0 to 1.3.1 vchain-us/docs#11

Closed

snyk-bot mentioned this issue May 1, 2020

[Snyk] Upgrade vuepress from 1.0.2 to 1.4.0 adamlaska/osmos-cosmos-sdk#5

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: JS-yaml #1845

Security: JS-yaml #1845

pmespresso commented Sep 9, 2019

Security: JS-yaml #1845

Security: JS-yaml #1845

Comments

pmespresso commented Sep 9, 2019

Bug report

Steps to reproduce

What is expected?

What is actually happening?

Other relevant information