davejbur
commented
1 year ago OK, I've created #143 to fix this, but Snyk is failing it... can't see why?
Open davejbur opened 1 year ago
davejbur
commented
1 year ago OK, I've created #143 to fix this, but Snyk is failing it... can't see why?
mxro
commented
1 year ago Thank you for this! Looks great!!
Synk complains about https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050875
I don't think there is another patched version available? In doubt, I think I rather use 1.14 instead of 1.9, I guess?
davejbur
commented
1 year ago Maybe I'm missing something, but I thought that was exactly the change I was proposing! Snyk however seemed to be failing my proposal because it was working on the master instead of the branch pull request I'd created! Anyway, yes, the change is to move to 1.14.7 (and from org.webjars.bower instead of org.webjars.npm).
mxro
commented
1 year ago As far as I can understand it from Synk, this vulnerability applies to 1.14.7 as well.
In any case, will merge it for now since using the newer version should be preferable over using the older one!
mxro
commented
1 year ago New version released with https://github.com/javadelight/delight-nashorn-sandbox/releases/tag/0.3.2
But as said, could still be reporting the vulnerability!
Currently, OWASP reports:
Updating to js-beautify 1.14.7 avoids this. I tried to do this as a Github pull request, but, between them, Github/Netbeans/Windows mess with the line endings. Github then refuses to ignore line endings when looking at changes (yes, I do have what is allegedly the correct setting in .gitattributes) so it looks like the whole file has changed.
Changes required: pom.xml line 30 from:
to
and line 32 from:
to
JsSanitizer.java line 50 from:
to