search

apostrophecms / sanitize-html

Clean up user-submitted HTML, preserving whitelisted elements and whitelisted attributes on a per-element basis. Built on htmlparser2 for speed and tolerance
MIT License
3.69k stars 351 forks source link

Please upgrade Postcss to later version to fix vulnerability issue #537

Closed akbarkz closed 2 years ago

akbarkz commented 2 years ago

To Reproduce

Add Snyk as an application in GitHub actions of a repo, that should add a pipeline step security/snyk. Have sanitize-html as a dependency of a project and push PR to GitHub.

Expected behavior

I expect security/snyk pipeline not to break with any vulnerability issues.

Describe the bug

In our project security/snyk pipeline broke with an error regarding one of the dependencies having a vulnerability issue.

Details

Namely, nanoid that is used in postcss that you guys are using. It's complaining on nanoid's version 3.1.30. And the issue is already fixed in 3.1.31. The version of sanizite-html that we use is 2.6.1.

Version of Node.js: 14.17.6

Server Operating System: Docker image node:16.13-stretch

Screenshots Here's the screenshot from Snyk's report: image

boutell commented 2 years ago

Does this require a major version change in postcss? If not then an npm update should take care of it in any project due to the semantic versioning rule already in place:

^8.4.6

On Tue, Feb 8, 2022 at 5:48 AM Akbar Abdrakhmanov @.***> wrote:

To Reproduce

Add Snyk https://app.snyk.io/ as an application in GitHub actions of a repo, that should add a pipeline step security/snyk. Have sanitize-html as a dependency of a project and push PR to GitHub. Expected behavior

I expect security/snyk pipeline not to break with any vulnerability issues. Describe the bug

In our project security/snyk pipeline broke with an error regarding one of the dependencies having a vulnerability issue. Details

Namely, nanoid that is used in postcss that you guys are using. It's complaining on nanoid's version 3.1.30. And the issue is already fixed in 3.1.31. The version of sanizite-html that we use is 2.6.1.

Version of Node.js: 14.17.6

Server Operating System: Here's the screenshot from Snyk's report: [image: image] https://user-images.githubusercontent.com/15943863/152967283-e21368fa-fa0c-460f-91c8-2c6b2188afc5.png

— Reply to this email directly, view it on GitHub https://github.com/apostrophecms/sanitize-html/issues/537, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27PAHWK5LRFREL4CWTLU2DYH7ANCNFSM5N2CLQEA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

--

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his

akbarkz commented 2 years ago

You're right, removing yarn.lock and reinstalling all the packages solved the issue. Sorry for bothering.

boutell commented 2 years ago

No worries.

On Wed, Feb 9, 2022 at 8:39 AM Akbar Abdrakhmanov @.***> wrote:

You're right, removing yarn.lock and reinstalling all the packages solved the issue. Sorry for bothering.

— Reply to this email directly, view it on GitHub https://github.com/apostrophecms/sanitize-html/issues/537#issuecomment-1033772001, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAH27OVK5ROHJYGCDHKMU3U2JVC7ANCNFSM5N2CLQEA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: @.***>

--

THOMAS BOUTELL | CHIEF TECHNOLOGY OFFICER APOSTROPHECMS | apostrophecms.com | he/him/his