Major issue with static-server #134
Comments
|
Thank you Fred. |
|
It looks like the netlify-cli uses it; it's probably to run the server locally. |
|
The severity is reasonably high (7.5/10 I believe), and there are presumably no updates coming... so either fixing the possible future breaches is attempted or the app needs to be rewritten without the offending code... unless I'm missing something? |
|
This is beyond my knowledge. I'd appreciate it if someone can help. Thank you! |
|
The version of netlify-cli used by gbfs-validator uses static-server in development mode probably to run the server locally as pointed out by @davidgamez This should in and of itself be completely safe and nobody needs to worry about it. That said, netlify-cli has gotten rid of it in later versions - and the latest version is 5 major version upgrades from the one currently used by gbfs-validator. So it's probably not a bad idea to upgrade it. |
|
@testower Alright, thanks for your informed input. I'm satisfied. @davidgamez should we close this issue? |
|
@fredericsimard, I see no harm in updating the package, as mentioned by @testower. I think we should keep it open and address it with lower priority. |
@davidgamez @josee-sabourin
A dependabot alert was issued for all versions 2.2.1 and below of the static-server:
https://github.com/advisories/GHSA-v834-rhv4-65m3/dependabot?query=user%3AMobilityData
Used here:
gbfs-validator/yarn.lock
Line 8475 in 58b85a8
gbfs-validator/yarn.lock
Line 10412 in 58b85a8
gbfs-validator/yarn.lock
Line 10414 in 58b85a8
The issue is that 2.2.1 is the latest version and it has not been updated in 6 years:
https://www.npmjs.com/package/static-server
The text was updated successfully, but these errors were encountered: