Outdated dependency CVE-2020-7753

D-3lf commented 4 years ago

Screenshots

Version

4.10.1 NPM package

To determine what version of Web Chat you are running, open your browser's development tools, and paste the following line of code into the console.

[].map.call(document.head.querySelectorAll('meta[name^="botframework-"]'), function (meta) { return meta.outerHTML; }).join('\n')

If you are using Web Chat outside of a browser, please specify your hosting environment. For example, React Native on iOS, Cordova on Android, SharePoint, PowerApps, etc.

Describe the bug

Web Chat depends on Remark version 10.0.1 which contains a package with the CVE-2020-7753 vulnerability. The path to the vulnerable library is: Web Chat <- botframework-webchat-component <- remark 10.0.1 <- remark-parse 6.0.3 <- trim 0.0.1

Steps to reproduce

N/A it exists in the latest version

Expected behavior

Not having CVSS V3 7.5/10 vulnerabilities.

Additional context

Upgrading to remark 13 will fix this

[Bug]

corinagum commented 4 years ago

Thanks for filing this issue. This is potentially related to https://github.com/microsoft/BotFramework-WebChat/issues/3360, depending on if we move away from this package or not. Assigning to @compulim since he is assigned dev for 3360

mrivera-ms commented 3 years ago

@compulim could you please take a look?

compulim commented 3 years ago

We will need to take out remark@10 as we tested @11 doesn't work with IE11. And we also have an accessibility bug related to strip-markdown (and remark) that it is incapable of removing HTML tags from Markdown.

corinagum commented 3 years ago

I am closing this as a dupe of #3360 for consolidation.

microsoft / BotFramework-WebChat