search

alvarotrigo / react-fullpage

Official React.js wrapper for fullPage.js https://alvarotrigo.com/react-fullpage/
GNU General Public License v3.0
1.29k stars 178 forks source link

Latest version of @fullpage/react-fullpage depends on vulnerable versions of fullpage.js #319

Closed madeline-petersen closed 2 years ago

madeline-petersen commented 2 years ago

Description

Latest @fullpage/react-fullpage version 0.1.23 depends on vulnerable versions of fullpage.js (v3.1.2)

package-lock.json:

    "node_modules/@fullpage/react-fullpage": {
      "version": "0.1.23",
      "resolved": "https://registry.npmjs.org/@fullpage/react-fullpage/-/react-fullpage-0.1.23.tgz",
      "integrity": "sha512-eTS9GeOx18ljNBqvAhi76y7DudMDG760DCPmojYxXS/bYkqI3L6elmCSn/Vva6i8ZEkIrzAl0jSoNx6R+7rS0g==",
      "dependencies": {
        "@babel/polyfill": "^7.2.5",
        "fullpage.js": "^3.1.2"
      }
    },

npm audit report:

# npm audit report

fullpage.js  <=4.0.4
Severity: high
Cross-site Scripting in fullpage.js - https://github.com/advisories/GHSA-h3cq-j957-vhxg
Prototype Pollution in fullpage.js - https://github.com/advisories/GHSA-vpgw-ffh3-648h
No fix available
node_modules/fullpage.js
  @fullpage/react-fullpage  *
  Depends on vulnerable versions of fullpage.js
  node_modules/@fullpage/react-fullpage
madeline-petersen commented 2 years ago

Oh, looks like dependabot already made the PR...

https://github.com/alvarotrigo/react-fullpage/pull/317