search

gxmari007 / vite-plugin-eslint

🚨 ESLint plugin for vite
MIT License
271 stars 52 forks source link

Vulnerability in rollup dependency #98

Open made-in-nz opened 2 months ago

made-in-nz commented 2 months ago

Latest vite-eslint-plugin is v1.8.1 containing dependency on rollup v2.77.2 which contains the following high severity vulnerability: https://github.com/advisories/GHSA-gcx4-mw62-g8wm

Output from npm audit:

rollup <3.29.5 Severity: high DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - https://github.com/advisories/GHSA-gcx4-mw62-g8wm fix available via npm audit fix --force Will install vite-plugin-eslint@1.1.0, which is a breaking change node_modules/vite-plugin-eslint/node_modules/rollup vite-plugin-eslint 1.0.5 || >=1.1.1 Depends on vulnerable versions of rollup node_modules/vite-plugin-eslint

MSmithAccesso commented 2 months ago

Thought I'd have a stab at creating a PR for this https://github.com/gxmari007/vite-plugin-eslint/pull/99. Feel free to check etc