Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url

KurtzL / nestjs-temporal

Temporal plugin for nestjs framework

MIT License

99 stars 21 forks source link

Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url #21

Open saberistic opened 1 year ago

saberistic commented 1 year ago

We are observing following dependency vuln via dependabot. This is a critical vuln

Dependabot cannot update parse-url to a non-vulnerable version
The latest possible version that can be installed is 6.0.5 because of the following conflicting dependencies:

nestjs-temporal@1.0.0 requires parse-url@^6.0.0 via a transitive dependency on git-up@4.0.5
No patched version available for parse-url
The earliest fixed version is 8.1.0.

jdnichollsc commented 1 year ago

I think it was fixed, right @saberistic?

saberistic commented 1 year ago

Yes I fixed it in this commit https://github.com/BAXUSNFT/nestjs-temporal/commit/0fdbd790401e8e00130b4c46b877c9914dc07efa