go-compile
commented
1 year ago This project appears to be abandoned and contain security vulnerabilities.
Open slfhstr opened 1 year ago
go-compile
commented
1 year ago This project appears to be abandoned and contain security vulnerabilities.
aljawaid
commented
1 year ago This project appears to be abandoned and contain security vulnerabilities.
it seems so, any open source alternatives that you know about?
slfhstr
commented
1 year ago In my understanding the only issue is lack of user login / authentication. Then the vulnerability doesn't exist (correct me if I'm wrong). My package with authentication seems to address this.
Even without further development, it's still a useful app which can continue to be used with some authentication in front of it. I used it for a while with just HTTP Auth via nginx reverse proxy.
go-compile
commented
1 year ago User authentication is another issue, however, simply adding such authentication would not automatically patch vulnerability (CVE-2023-23277), although it would limit it's exploitability. I will also add that this project's packages are not being updated, which could potentially introduce more vulnerabilities.
This repository contains dependencies with serious vulnerabilities (see Table 1).
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
|---|---|---|---|---|---|
| https://osv.dev/GHSA-93q8-gq69-wqmw | 7.5 | npm | ansi-regex | 4.1.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-4gxf-g5gf-22h4 | 7.5 | npm | dottie | 2.0.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-pfrx-2q88-qq97 | 5.3 | npm | got | 9.6.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-rc47-6667-2j5j | 7.5 | npm | http-cache-semantics | 4.1.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-896r-f27r-55mw | 9.8 | npm | json-schema | 0.2.3 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-f8q6-p94x-37v3 | 7.5 | npm | minimatch | 3.0.4 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-xvch-5gv4-984h | 9.8 | npm | minimist | 1.2.5 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-8hfj-j24r-96c4 | 7.5 | npm | moment | 2.29.1 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-wc69-rhjr-hc9g | 7.5 | npm | moment | 2.29.1 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-56x4-j7p9-fcf9 | npm | moment-timezone | 0.5.33 | snippet-box\package-lock.json | |
| https://osv.dev/GHSA-v78c-4p63-2j6c | npm | moment-timezone | 0.5.33 | snippet-box\package-lock.json | |
| https://osv.dev/GHSA-hrpp-h998-j3pp | 7.5 | npm | qs | 6.5.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-hrpp-h998-j3pp | 7.5 | npm | qs | 6.7.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-p8p7-x288-28g6 | 6.1 | npm | request | 2.88.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-c2qf-rxjj-qqgw | 5.3 | npm | semver | 5.3.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-c2qf-rxjj-qqgw | 5.3 | npm | semver | 5.7.1 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-c2qf-rxjj-qqgw | 5.3 | npm | semver | 6.3.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-c2qf-rxjj-qqgw | 5.3 | npm | semver | 7.3.5 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-wrh9-cjv3-2hpw | 10 | npm | sequelize | 6.6.5 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-8c25-f3mj-v6h8 | 5.3 | npm | sequelize | 6.6.5 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-vqfx-gj96-3w95 | 9.9 | npm | sequelize | 6.6.5 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-f598-mfpv-gmfx | 10 | npm | sequelize | 6.6.5 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-g4rg-993r-mgx7 | 9.8 | npm | shell-quote | 1.7.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-9qrh-qjmc-5w2p | 7.5 | npm | sqlite3 | 5.0.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-jqv5-7xpx-qj74 | 8.1 | npm | sqlite3 | 5.0.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-3jfq-g458-7qm9 | 8.2 | npm | tar | 2.2.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-r628-mhmh-qjhw | 8.2 | npm | tar | 2.2.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-9r2w-394v-53qc | 8.2 | npm | tar | 2.2.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-5955-9wpr-37jh | 8.2 | npm | tar | 2.2.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-qq89-hq3f-393p | 8.2 | npm | tar | 2.2.2 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-72xf-g2v4-qvf3 | 6.5 | npm | tough-cookie | 2.5.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-qgmg-gppg-76g5 | 5.3 | npm | validator | 13.6.0 | snippet-box\package-lock.json |
| https://osv.dev/GHSA-xx4c-jj58-r7x6 | 5.3 | npm | validator | 13.6.0 | snippet-box\package-lock.json |
mikebgrep
commented
6 months ago Can someone fork the repo and update the packages. Also, if it is used only locally. Is it still a risk? Btw. This fork had updates before 6 months. https://github.com/kaysgericht/snippet-box
First off, thank you @pawelmalak for a great app. I have been using it on self-hosted VPS in native Docker for 2 years. It's a really useful resource.
I'm moving most of my self-hosted to the Cloudron PaaS (https://cloudron.io) as it's a great platform for self-hosting. I've just packaged Snippet-Box for deployment on Cloudron (https://git.cloudron.io/timconsidine/snippet-box-cloudron) for my own use and to help others if you want to deploy it. Packaging on Cloudron adds an 'out of the box' authentication.
Would you be able to share if you have plans for further development or added features ?