Closed aleixsuau closed 3 weeks ago
jshawl
commented
1 month ago It looks like DOMPurify was bumped here https://github.com/microsoft/vscode/pull/228773/files but not yet vendored like in this other DOMPurify bump PR - https://github.com/microsoft/vscode/pull/189368/files
jasonparallel
commented
1 month ago @rzhao271 Just wanted to at you as you merged in the version update for DOMPurify
PavPav
commented
1 month ago Looks like one more CVE is found now CVE-2024-47875, but still updating to DOMPurify@3.1.3 should solve an issue
mjbvz
commented
1 month ago This pr will bump to the currently latest release (3.1.7): https://github.com/microsoft/vscode/pull/230250
mjbvz
commented
3 weeks ago Closing as upstream change in VS Code has been merged
acherkashin
commented
2 weeks ago @mjbvz thank you for fixing the issue 👍.
Do you happen to know when 0.53 monaco-editor version will be released with the vulnerability fix?
Reproducible in vscode.dev or in VS Code Desktop?
Reproducible in the monaco editor playground?
Monaco Editor Playground Link
No response
Monaco Editor Playground Code
No response
Reproduction Steps
No response
Actual (Problematic) Behavior
Our OWASP scan detected an issue in DOMPurify@3.0.5 CVE-2024-45801 which seems to be used by the Monaco editor (VSCode): https://github.com/microsoft/vscode/blob/main/src/vs/base/browser/dompurify/dompurify.js
Please update to DOMPurify@3.1.3 to get rid of that vulnerability.
Thanks
Expected Behavior
There should be no vulnerability issues.
Additional Context
No response