Using outdated dependency flags dependency confusion attack [PR available] #71

jackwhelpton · 2024-04-17T23:25:47Z

Expected Behavior

Prior to v1.9.0, acorn-import-attributes (then called acorn-import-assertions) used an implicit/not fully qualified reference to a dependency (test262).

This causes security scanning tools to flag a possible dependency confusion attack.

Actual Behavior

No security warning

Steps to Reproduce the Problem

Run security scan (e.g. Orca) on code using this repo

Specifications

Version: 1.7.3
Platform: (all)
Subsystem: (all)

The text was updated successfully, but these errors were encountered:

jackwhelpton · 2024-04-17T23:26:57Z

I've raised a PR #70 that should resolve this, let me know what it would take to get this merged. My first contribution to this repo, so be gentle/let me know if edits are required.

trentm · 2024-05-06T15:17:55Z

Now that #70 is merged and 1.7.4 is released, I believe this can be closed?

jackwhelpton changed the title ~~Using outdated dependency flags dependency confusion attack [MR available]~~ Using outdated dependency flags dependency confusion attack [PR available] Apr 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Using outdated dependency flags dependency confusion attack [PR available] #71

Using outdated dependency flags dependency confusion attack [PR available] #71

jackwhelpton commented Apr 17, 2024

jackwhelpton commented Apr 17, 2024 •

edited

Loading

trentm commented May 6, 2024

Using outdated dependency flags dependency confusion attack [PR available] #71

Using outdated dependency flags dependency confusion attack [PR available] #71

Comments

jackwhelpton commented Apr 17, 2024

Expected Behavior

Actual Behavior

Steps to Reproduce the Problem

Specifications

jackwhelpton commented Apr 17, 2024 • edited Loading

trentm commented May 6, 2024

jackwhelpton commented Apr 17, 2024 •

edited

Loading