search

djipco / webmidi

Tame the Web MIDI API. Send and receive MIDI messages with ease. Control instruments with user-friendly functions (playNote, sendPitchBend, etc.). React to MIDI input with simple event listeners (noteon, pitchbend, controlchange, etc.).
Apache License 2.0
1.53k stars 115 forks source link

Moderate vulnerabilities in WEBMIDI.js 3.0 #268

Closed barnabycollins closed 2 years ago

barnabycollins commented 2 years ago

Description I'm using this module in a project, and upon installing NPM tells me that the sanitize-html dependency contains vulnerabilities. I'm aware that it's underneath several other dependencies, including your own djipevents module, so it's not really a problem with this module, but I thought it could be worth opening an issue here too in order to allow for discussion etc. Are there plans to update the dependencies soon, in order to resolve these issues?

Environment:

Details

node_modules/sanitize-html
  ink-docstrap  >=1.0.0
  Depends on vulnerable versions of sanitize-html
  node_modules/ink-docstrap
    gulp-jsdoc3  *
    Depends on vulnerable versions of ink-docstrap
    node_modules/gulp-jsdoc3
      djipevents  >=1.0.0-a
      Depends on vulnerable versions of gulp-jsdoc3
      node_modules/djipevents
        webmidi  >=3.0.0-alpha.1
        Depends on vulnerable versions of djipevents
        node_modules/webmidi
djipco commented 2 years ago

I updated all dependencies in the djipevents module. Unfortunately, I do not have any control over the vulnerable sub-dependencies.

WEBMIDI.js has been updated to use the latest version of djipevents (2.0.5). The change will go out with the next release.

Thanks for reporting.

djipco commented 2 years ago

I should probably mention that the vulnerable dependencies are only used by tools (i.e. documentation generator) used during development (dev-dependency). They are not direct dependencies of the library.

barnabycollins commented 2 years ago

Ah, thank you for clarifying! Makes a lot of sense; thank you :)