search

cyu / rack-cors

Rack Middleware for handling Cross-Origin Resource Sharing (CORS), which makes cross-origin AJAX possible.
MIT License
3.26k stars 263 forks source link

Vulnerabilities in included mocha.js #246

Open Niedzwiedz opened 1 year ago

Niedzwiedz commented 1 year ago

Hello,

Rack-cors gem comes packaged with test_files that includes mocha.js which is interpreted by our scans as version 1.11.0

Our product security analysis is "flashing red" and flagging those: https://www.huntr.dev/bounties/1d8a3d95-d199-4129-a6ad-8eafe5e77b9e/ https://github.com/mochajs/mocha/pull/4770

I was following this issue discussion on rubygems: https://github.com/rubygems/rubygems/issues/735 which isn't really conclusive but many gem repos removed test_files and I wonder what's your opinion on keeping/removing test_files part of gemspec?

Thanks, Michal

squadette commented 1 year ago

If your product is flagging a javascript file in test suite as "flashing red" then how would it flag the actual vulnerabilities?