search

balmjs / balm-ui

:diamonds: A modular and customizable UI library based on Material Design and Vue
https://material.balmjs.com
MIT License
506 stars 30 forks source link

Dependency vunerabilty from quill #102

Open ghost opened 2 years ago

ghost commented 2 years ago

npm audit report

quill <=1.3.7 Severity: moderate Cross-site Scripting in quill - https://github.com/advisories/GHSA-4943-9vgg-gr5r fix available via npm audit fix --force Will install balm-ui@6.6.5, which is a breaking change node_modules/quill balm-ui >=6.7.0 Depends on vulnerable versions of quill node_modules/balm-ui

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

elf-mouse commented 2 years ago

Hi @1FootN ,

ui-editor belongs to BalmUI plus package (Unofficial Google MDC), which is a component based on quill development, we will follow quill official first update.

If the current risks of third-party dependencies have a large impact on your project, it is recommended that you can avoid using ui-editor using BalmUI individual usage for plus components.

Thanks :)

loicdekester commented 2 months ago

Since updating quill in v10.29.0 this warning doesn't show anymore when running npm audit. This issue can be closed.