Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk] Security upgrade onfido-sdk-ui from 13.6.1 to 14.15.0 #26

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Security upgrade onfido-sdk-ui from 13.6.1 to 14.15.0 #26

wants to merge 1 commit into from

Conversation

pavelbe4solutions
Copy link

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

  • Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
    • package.json
    • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:
Severity Priority Score (*) Issue Breaking Change Exploit Maturity
medium severity 703/1000
Why? Proof of Concept exploit, Recently disclosed, Has a fix available, CVSS 6.2		 Cross-site Scripting (XSS)
SNYK-JS-DOMPURIFY-8184974		 Yes Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Cross-site Scripting (XSS)

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Oct 18, 2024
edited
Loading

DryRun Security Summary

The pull request updates the version of the onfido-sdk-ui dependency from 13.6.1 to 14.15.0, which should be reviewed for potential changes in the SDK's behavior, functionality, or security features, and to ensure that the application's dependencies are kept up-to-date for security purposes.

Expand for full summary

Summary:

The code change in this pull request updates the version of the onfido-sdk-ui dependency from 13.6.1 to 14.15.0. From an application security perspective, this change is worth reviewing for a few reasons:

  1. Version Upgrade: Upgrading dependencies to the latest version is generally a good practice, as it can provide bug fixes, security patches, and new features. However, it's important to review the changelog or release notes for the new version to understand what changes have been made and assess any potential impact on the application.

  2. Onfido SDK: The onfido-sdk-ui library is used for integrating Onfido's identity verification services into the application. Onfido is a security-sensitive component, as it deals with sensitive user data. Upgrading to a newer version may introduce changes to the SDK's behavior, functionality, or security features, which should be carefully evaluated.

  3. Dependency Management: Keeping dependencies up-to-date is an important aspect of application security. Outdated dependencies can introduce vulnerabilities, which can be exploited by attackers. Regularly reviewing and updating dependencies is a best practice to maintain a secure application.

Files Changed:

  • package.json: The code change in this pull request updates the version of the onfido-sdk-ui dependency from 13.6.1 to 14.15.0.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 2 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pavelbe4solutions @snyk-bot