search

feathersjs-ecosystem / feathers-swagger

Add documentation to your FeatherJS services and feed them to Swagger UI.
MIT License
226 stars 63 forks source link

Spoofing attack in swagger-ui-dist #231

Closed haddigan closed 2 years ago

haddigan commented 2 years ago

Dependabot is reporting a vulnerability in the swagger-ui-dist version used by this package:

The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.

The swagger-ui-dist package is listed in the greenkeeper ignore section of the package.json for this project. Is it absolutely necessary to continue using this insecure version or is it possible to update to the latest 4.1.3?

Mairu commented 2 years ago

I created a new version today with updated dependencies. For swagger-ui-dist I updated not to v4 which would be a kind of breaking change but to the latest 3.52.2.

My plan for future versions is to exclude swagger-ui-dist as a direct dependency.