Closed Amir-61 closed 5 years ago
HI, thanks for reporting the vulnerability.
Since its in the highlight.js dependency, and they seem already resolved it. I think all you need to do is reinstall the package to upgrade the dependency.
Close the issue for now.
Thanks. Yes I verified the issue got resolved; also commented: https://github.com/highlightjs/highlight.js/issues/2067#issuecomment-508785741
High severity vulnerability found in shelljs Description: Command Injection
From: angular-highlightjs@0.7.1 > highlight.js@9.15.5 > gear-lib@0.9.2 > jshint@2.5.11 > shelljs@0.3.0
Please see: https://github.com/shelljs/shelljs/issues/810 and https://github.com/shelljs/shelljs/pull/524#issuecomment-507152989
TLDR is: There is no security fix on shelljs; they recommendation is If you do use shell.exec(), don't pass untrusted user input (or other external values) to the function--string literals are of course the safest option.
From: https://github.com/shelljs/shelljs/issues/810#issuecomment-356835680