Security issue in dash_uploader.min.js

fohrloop / dash-uploader

The alternative upload component for python Dash applications.

MIT License

144 stars 30 forks source link

Security issue in dash_uploader.min.js #33

Closed jackwk closed 3 years ago

jackwk commented 3 years ago

In dash_uploader.min.js bootstrap with vulnerability is used (CVE-2019-8331).

Details: https://github.com/twbs/bootstrap/pull/28236

Solution: upgrade bootstrap version from 4.1.3 to 4.3.1

fohrloop commented 3 years ago

Thank you for the report @jackwk . The linked issue looks like it has something to do with the .js part of the Bootstrap 4.1.3. Namely the tooltip and popover plugins. In the dash-uploader there is no direct Bootstrap dependency; just some css styles copied to

src\lib\components\progressbar.css
src\lib\components\button.css

to get nice-looking buttons and progressbar. I am quite sure there is no security risk related to these files.