所需依赖 ssh2 存在漏洞 - Githubissues

lucascaro / hexo-deployer-sftp

SFTP deployer for Hexo

MIT License

7 stars 5 forks source link

所需依赖 ssh2 存在漏洞 #15

Open suyin-long opened 2 months ago

suyin-long commented 2 months ago

因为其所依赖的 ssh2 版本过低，导致其存在OS Command Injection in ssh2的漏洞，希望可以将其修复。
修复方法：将依赖的 ssh2 版本升级到 1.4.0 及以上即可！

漏洞详情请参考以下内容：

ssh2  <1.4.0
Severity: high
OS Command Injection in ssh2 - https://github.com/advisories/GHSA-652h-xwhf-q4h6
No fix available
node_modules/sftp-sync-deploy/node_modules/ssh2
sftp-sync-deploy  *
Depends on vulnerable versions of ssh2
node_modules/sftp-sync-deploy
hexo-deployer-sftp  *
Depends on vulnerable versions of sftp-sync-deploy        
node_modules/hexo-deployer-sftp