Version 0.14.0 Vulnerabilities

GoogleChrome / lighthouse-ci

Automate running Lighthouse for every commit, viewing the changes, and preventing regressions

Apache License 2.0

6.44k stars 649 forks source link

Version 0.14.0 Vulnerabilities #1074

Open Elte156 opened 1 month ago

Elte156 commented 1 month ago

Describe the bug

Currently, @lhci/cli 0.14.0 has a number of vulnerabilities

Here is one we identified:

https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060

Issues with no direct upgrade or patch:
  ✗ Cross-site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060] in cookie@0.4.2
    introduced by @lhci/cli@0.14.0 > express@4.20.0 > cookie@0.6.0 and 7 other path(s)
  This issue was fixed in versions: 0.7.0

hamirmahal commented 1 month ago

I think I came across something similar in a few of my repositories.

@lhci/cli@0.14.0 requires cookie@^0.4.1 via a transitive dependency on @sentry/node@6.19.7
@lhci/cli@0.14.0 requires cookie@0.6.0 via a transitive dependency on express@4.21.0

hamirmahal commented 1 month ago

For what it's worth, it looks like express fixed this with https://github.com/expressjs/express/pull/6029.