search

BrowserSync / browser-sync

Keep multiple browsers & devices in sync when building websites. https://browsersync.io
https://discord.gg/2d2xUThp
Apache License 2.0
12.17k stars 755 forks source link

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

Open sdavids opened 4 days ago

sdavids commented 4 days ago 
$ mkdir /tmp/test && cd "$_"
$ npm i --save-dev browser-sync@3.0.2
$ npm audit
# npm audit report

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install browser-sync@2.26.2, which is a breaking change
node_modules/send
  browser-sync  >=2.12.1
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/browser-sync
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
max-holland commented 2 days ago

+1

yokoishioka commented 1 day ago

I just submitted a PR for this and to resolve the one for sever-static as well: https://github.com/BrowserSync/browser-sync/pull/2087

rmch91 commented 1 day ago

+1

shakyShane commented 1 day ago

I'll sort this later today, thanks :)