Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Moderate vulnerability in @refinedev/[email protected] #6321

Closed
bombillazo opened this issue Sep 11, 2024 · 2 comments · Fixed by #6354, #6336 or #6404
Closed

[BUG] Moderate vulnerability in @refinedev/[email protected] #6321

bombillazo opened this issue Sep 11, 2024 · 2 comments · Fixed by #6354, #6336 or #6404
Assignees
@arndom
Labels
bug Something isn't working
Milestone
October Release

Comments

@bombillazo
Copy link
Contributor

Describe the bug

There is a moderate vulnerability on @refinedev/[email protected]

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install @refinedev/[email protected], which is a breaking change
node_modules/serve-static/node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static
    express  4.0.0-rc1 - 5.0.0-beta.3
    Depends on vulnerable versions of serve-static
    node_modules/express
      @refinedev/cli  >=2.5.4
      Depends on vulnerable versions of @refinedev/devtools-server
      Depends on vulnerable versions of express
      node_modules/@refinedev/cli
      @refinedev/devtools-server  *
      Depends on vulnerable versions of express
      node_modules/@refinedev/devtools-server

Steps To Reproduce

N/A

Expected behavior

No vulnerability is present, use updated package

Packages

  • @refinedev/cli

Additional Context

No response
@bombillazo bombillazo added the bug Something isn't working label Sep 11, 2024
@aliemir
Copy link
Member

aliemir commented Sep 12, 2024

Hey @bombillazo thank you for reporting! Looks like serve-static just had a bump to fix the vulnerability and express also had a release 10 hours ago with the fixed version (Check out [email protected]) We don't pin the express version in @refinedev/cli and @refinedev/devtools-server so having a clean install without a lock file may upgrade it to latest. 🚀

Still, we can upgrade the version number to the fixed version in our package.json files. Would you like to work on this? We'd love to see your PR 🙏

@aliemir aliemir added this to the October Release milestone Sep 12, 2024
@arndom
Copy link
Contributor

arndom commented Sep 17, 2024

@bombillazo can I work on this if you're unavailable

@arndom arndom mentioned this issue Sep 18, 2024
Merged
5 tasks
aliemir added a commit that referenced this issue Sep 23, 2024
@arndom @aliemir
fix(devtools-server): bump express to ^4.21.0 (#6354) (resolves #…
da9da4e 
…6321)

Co-authored-by: Ali Emir Şen <[email protected]>
@aliemir aliemir mentioned this issue Sep 23, 2024
Closed
@BatuhanW BatuhanW linked a pull request Oct 14, 2024 that will close this issue
release: october 2024 #6336
Merged
@refine-bot refine-bot mentioned this issue Oct 14, 2024
Closed
@aliemir aliemir linked a pull request Oct 14, 2024 that will close this issue
release: october 2024 #6404
Merged
@refine-bot refine-bot mentioned this issue Oct 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arndom arndom

Labels
bug Something isn't working
Projects
None yet
Milestone
October Release
3 participants
@aliemir @arndom @bombillazo