Open artola opened 1 year ago
Intended outcome:
Install the package apollo v2.34.0 should be "safe". A new package should be published containing the patch version for moment.
apollo
moment
Actual outcome:
Apollo v2.34.0 contains as dependency moment v2.29.3 which reports the following vulnerability:
├─ moment: 2.29.3 │ ├─ Issue: Moment.js vulnerable to Inefficient Regular Expression Complexity │ ├─ URL: https://github.com/advisories/GHSA-wc69-rhjr-hc9g │ ├─ Severity: high │ ├─ Vulnerable Versions: >=2.18.0 <2.29.4 │ ├─ Patched Versions: >=2.29.4 │ ├─ Via: moment, moment-timezone, @sl/fusion.common-utils, @sl/fusion.common-static, @sl/fusion.common-components, @sl/fusion.widgets-manager, @sl/fusion.common-wizpack, @sl/fusion.widgets-certificate │ └─ Recommendation: Upgrade to version 2.29.4 or later
How to reproduce the issue:
Versions
apollo v2.34.0
Intended outcome:
Install the package
apollov2.34.0 should be "safe". A new package should be published containing the patch version formoment.Actual outcome:
Apollo v2.34.0 contains as dependency
momentv2.29.3 which reports the following vulnerability:How to reproduce the issue:
Versions
apollo v2.34.0