-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssri 6.0.1 vulnerability #3064
Comments
we've already published ssri@6.0.2 that resolves this vulnerability and npm@6.14.12 that includes this update. advisory databases are still being updated to reflect the fix. |
@nlf not sure why the scan still shows ssri@6.0.1 even after updating npm to 6.14.12 |
@networkandcode, fyi the upgrade to ssri@6.0.2 was done in npm 6.14.13. @nlf, am I to assume the upgrade to hosted-git-info@2.8.9 also in npm 6.14.13 was to resolve CVE-2021-23362? |
Hi, Prisma cloud scan for our docker container which has node 12 and npm 6.14.12 detected a vulnerability for the ssri 6.0.1 package. Any solution for this please.
Description of the vulnerability and fix below:
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Steps in Dockerfile we used to install node12 and npm:
The text was updated successfully, but these errors were encountered: