dcantatore
commented
3 years ago Updated in branch, being merged shortly
Closed plumdog closed 3 years ago
dcantatore
commented
3 years ago Updated in branch, being merged shortly
Github's dependency checker got worried because Dragula's
package.jsonpoints at a version of Uglify with a CVE.This suggests using Uglify 2.6.0 (or greater) and also links to the CVE at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858. Dragula uses uglify 2.4.24 as of v3.7.2.
For the "and what to do about it" part of this, I think there's two bits:
Does this mean that versions of Dragula that use the affected version of uglify are vulnerable? I don't really understand the CVE, but I think the answer is "no". I think it only affects uglify at runtime, not all code that has been uglified. Maybe worth someone who is more capable than me making sure though.
Is this worth fixing anyway? I think the answer is "yes", if nothing else to make it so people don't see Github's "you have dependencies with CVEs" warning message thing and get worried. Also, I'd be surprised if upgrading Uglify broke anything, and the version of uglify is quite old fwiw. I would guess upgrading will be easy.