Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update outdated dependency with vulnerablities #2721

Closed
chillheart opened this issue Apr 13, 2020 · 3 comments
Closed

Update outdated dependency with vulnerablities #2721

chillheart opened this issue Apr 13, 2020 · 3 comments
Labels
Bug no-issue-activity

Comments

@chillheart
Copy link

chillheart commented Apr 13, 2020
edited
Loading

jsPDF is using an outdated version of canvg which contains vulnerable child dependencies, acorn and acorn-globals.

https://www.npmjs.com/advisories/1488

The vulnerabilities allow an attacker to block access to the app via a ReDOS attack. This has been mitigated and canvg has removed or updated jsdom, which requires the vulnerable versions of acorn. Can you please update the dependencies to at least canvg@2.00 where they use a newer versions that have mitigated the vulnerability?
@HackbrettXXX
Copy link
Collaborator

Yes, that's probably a good idea, anyways.

@eMarek
Copy link

eMarek commented Apr 14, 2020

I just wanted to make the same request. My issue is actually failing tests because of an old jsdom version 8.1.0. For the record, this is current dependency tree:

jspdf@^1.5.3:
  version "1.5.3"
  resolved "https://registry.yarnpkg.com/jspdf/-/jspdf-1.5.3.tgz#5a12c011479defabef5735de55c913060ed219f2"
  dependencies:
    canvg "1.5.3"
    file-saver eligrey/FileSaver.js#1.3.8
    html2canvas "1.0.0-alpha.12"
    omggif "1.0.7"
    promise-polyfill "8.1.0"
    stackblur-canvas "2.2.0"

canvg@1.5.3:
  version "1.5.3"
  resolved "https://registry.yarnpkg.com/canvg/-/canvg-1.5.3.tgz#aad17915f33368bf8eb80b25d129e3ae922ddc5f"
  dependencies:
    jsdom "^8.1.0"
    rgbcolor "^1.0.1"
    stackblur-canvas "^1.4.1"
    xmldom "^0.1.22"

jsdom@^8.1.0:
  version "8.5.0"
  resolved "https://registry.yarnpkg.com/jsdom/-/jsdom-8.5.0.tgz#d4d8f5dbf2768635b62a62823b947cf7071ebc98"
  dependencies:
    abab "^1.0.0"
    acorn "^2.4.0"
    acorn-globals "^1.0.4"
    array-equal "^1.0.0"
    cssom ">= 0.3.0 < 0.4.0"
    cssstyle ">= 0.2.34 < 0.3.0"
    escodegen "^1.6.1"
    iconv-lite "^0.4.13"
    nwmatcher ">= 1.3.7 < 2.0.0"
    parse5 "^1.5.1"
    request "^2.55.0"
    sax "^1.1.4"
    symbol-tree ">= 3.1.0 < 4.0.0"
    tough-cookie "^2.2.0"
    webidl-conversions "^3.0.1"
    whatwg-url "^2.0.1"
    xml-name-validator ">= 2.0.1 < 3.0.0"

@github-actions
Copy link

This issue is stale because it has been open 90 days with no activity. It will be closed soon. Please comment/reopen if this issue is still relevant.

@HackbrettXXX HackbrettXXX mentioned this issue Jul 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug no-issue-activity
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eMarek @chillheart @HackbrettXXX