Automated Security Alerts upon Deploy

dumaurier / pwa_jekyll

Jekyll + PWA + IndieWeb. A starter for publishing your own content. Support for WebMentions, Service Workers and Netlify CMS is built in.

https://pwa-jekyll-starter.netlify.com/

MIT License

22 stars 16 forks source link

Automated Security Alerts upon Deploy #15

Closed infominer33 closed 5 years ago

infominer33 commented 5 years ago

Describe the bug

Upon Deploy, I got 2 security alerts.

ffi

One automated upgrade of ffi

ffi (1.11.1) ffi (1.11.1-x64-mingw32) ffi (1.11.1-x86-mingw32)

parsejson

CVE-2017-16113 More information high severity Vulnerable versions: <= 0.0.3 Patched version: No fix

The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.

Not sure what to do w that. Will study more later.

dumaurier commented 5 years ago

I can't remember why I had included parsejson. And removing didn't seem to break anything obvious...so now it's gone.

dumaurier commented 5 years ago

parsejson fixed with this commit: https://github.com/dumaurier/pwa_jekyll/commit/1af78d923af97009672c61b56264ffe125352d41

ffi fixed with this commit: https://github.com/dumaurier/pwa_jekyll/commit/a4830ad0a9e360de6e6d0f368f4816bb01d86609

infominer33 commented 5 years ago

thank you!