search

aau-giraf / api_client

API client for Flutter to communicate with the web-api
GNU General Public License v3.0
6 stars 0 forks source link

api_client dependabot alert: http before 0.13.3 vulnerable to header injection #110

Closed Jaffenheimer closed 1 year ago

Jaffenheimer commented 2 years ago

api_client dependabot alert: http before 0.13.3 vulnerable to header injection Weekplanner repo. er blevet scannet af Dependabot og fandt (i vores pubspec) at vi bruger en for gammel version af http som indeholder en "http header injection vulnerability". https://github.com/aau-giraf/api_client/security/dependabot/1

potentiel løsning Opdater http til at være en version efter 0.13.3, eller "validating request methods". Jeg anbefaler en upgrade.

Fixed in: https://github.com/aau-giraf/weekplanner/pull/896

Lildhansen commented 2 years ago

updating HTTP to version 0.13.3 requires updating sdk to a newer version (see picture). However, when doing this it results in 551 issues. Therefore we are unsure how we should fix the dependabot issue. We reckon there will be a similar problem with issue https://github.com/aau-giraf/weekplanner/issues/876

Image

Lildhansen commented 2 years ago

Og man skal også have admin priveleges på GitHub for at se alertsne

andreaslborg commented 1 year ago

Both Dart SDK and http in pubspec will be updated with flutter upgrade: https://github.com/aau-giraf/weekplanner/pull/896

Without having checked with dependabot, this issue might be resolved with this PR.

andreaslborg commented 1 year ago

As suspected, the issues were resolved following the Flutter upgrade https://github.com/aau-giraf/weekplanner/pull/896.