Open lexiconwriter opened 5 months ago
I've been getting this for a while too in projects where dataview is installed:
$ npm audit
# npm audit report
svelte <3.49.0
Severity: moderate
Svelte vulnerable to XSS when using objects during server-side rendering - https://github.com/advisories/GHSA-wv8q-r932-8hc7
fix available via `npm audit fix --force`
Will install obsidian-dataview@0.4.21, which is a breaking change
node_modules/svelte
obsidian-calendar-ui *
Depends on vulnerable versions of svelte
node_modules/obsidian-calendar-ui
obsidian-dataview >=0.4.22
Depends on vulnerable versions of obsidian-calendar-ui
node_modules/obsidian-dataview
3 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Running "npm audit fix --force" breaks the build in ways that I do not yet understand.
Just ignoring the message seems to work :), but it is very confusing for users, especially when following the "fix" instructions makes things break more :)
I honestly doubt this is something to worry about given that Obsidian and this plugin both run entirely offline. May be worth upgrading deps though.
deps need a push. yes. this issue is nothing to worry about tho, since the effected ssr svelte component is not even used in here at all. this issue is a false-positive non-issue.
still.. to remove that silly message people see, we should definitely push the dep.
to remove that silly message people see, we should definitely push the dep
Better it is: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/
What happened?
package.json:
"obsidian-calendar-ui": "^0.3.12",
The Vulnerable module is svelte. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25875
The fix came in svelte@3.49.0
https://snyk.io/advisor/npm-package/obsidian-calendar-ui
DQL
No response
JS
No response
Dataview Version
0.5.66
Obsidian Version
1.5.11
OS
Windows