search

filestack / filestack-js

Official Javascript SDK for the Filestack API and content ingestion system.
https://www.filestack.com
MIT License
206 stars 76 forks source link

[Security] Vulnerabilities In Dependency: fast-xml-parser - Requires Upgrade #523

Closed RTurek closed 10 months ago

RTurek commented 11 months ago

filestack-js (and thus filestack-react and any other libs that depend on filestack-js) has a security vulnerability due to a javascript dependency. The fast-xml-parser library needs to be upgraded.

Expected Behavior

No security alerts on GitHub or other vulnerability scanners should be triggered by filestack-js and filestack-react's dependency on fast-xml-parser

Current Behavior

Security alert shows up because of the vulnerability in the older version of fast-xml-parser

Possible Solution

Upgrade "fast-xml-parser": "^3.16.0" to "fast-xml-parser": "^4.2.4"

Additional Screenshots & Documentation

Regex Issue https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw https://security.snyk.io/vuln/SNYK-JS-FASTXMLPARSER-5668858 https://vulners.com/github/GHSA-6W63-H3FJ-Q4VW

Screenshot 2023-07-18 at 12 39 00 PM

Prototype Pollution issue https://github.com/advisories/GHSA-x3cc-x39p-42qx

Screenshot 2023-07-18 at 12 42 14 PM

Context

All users of this library will be impacted by this.

Your Environment

All environments are impacted by this.

bsaphier commented 11 months ago

Need this fixed asap. Can't use this package in production environments that need to pass security reviews (like for getting an application approved for google integration)

NUO97 commented 11 months ago

The issue has been around for over a month, plz prioritize this

RTurek commented 10 months ago

Resolved by https://github.com/filestack/filestack-js/pull/521 Pushed out with v3.27.0 https://github.com/filestack/filestack-js/commit/41575fdf6a2bcca8c3b881627edac6d54a81cffa#diff-06572a96a58dc510037d5efa622f9bec8519bc1beab13c9f251e97e657a9d4edR8