search

observablehq / framework

A static site generator for data apps, dashboards, reports, and more. Observable Framework combines JavaScript on the front-end for interactive graphics with any language on the back-end for data analysis.
https://observablehq.com/framework/
ISC License
2.58k stars 125 forks source link

Increase the required version of send from 0.18 to 0.19 #1693

Closed michalc closed 1 month ago

michalc commented 1 month ago

The version of send 0.18 has a published vulnerability that is fixed in 0.19, see https://github.com/advisories/GHSA-m6fv-jmcg-4jfg. However, the version specifier of "^0.18.0" in package.json does not allow projects to use 0.19.

This changes the specifier to "^0.19.0" which allows (and requires) Observable Framework projects to use 0.19 to avoid the vulnerability.

Note that the vulnerability https://github.com/advisories/GHSA-m6fv-jmcg-4jfg has been public for over 2 weeks at this point, and so this isn't disclosing anything new.

mbostock commented 1 month ago

Thank you!

Fil commented 1 month ago

Thanks! I've edited the description to reflect the actual version numbers.

michalc commented 1 month ago

Oh oops! Thank you :-)