Critical vulnerability -> Chart.js library vulnerable to prototype polution.

node-red / node-red-dashboard

A dashboard UI for Node-RED

Other

1.31k stars 453 forks source link

Critical vulnerability -> Chart.js library vulnerable to prototype polution. #830

Open Wideyedwonderer opened 7 months ago

Wideyedwonderer commented 7 months ago

What are the steps to reproduce?

Install the latest version of node-red-dashboard as node_module
Go to dist/js/app.min.js
Search for "Chart.js"

What happens?

Version 2.3.0 is found. This library is listed with the following CRITICAL vulnerability in the NIST database: CVE-2020-7746

What do you expect to happen?

Version after 2.9.4 to be found.

dceejay commented 7 months ago

Yes - sadly the angular v1 dashboard uses some other libraries that are pinned to version 2.3 - so you can either rebuild the dashboard without the chart node - or look to move to the dashboard v2.