pvorb / clone

deeply clone arbitrary objects in javascript
https://www.npmjs.com/package/clone
MIT License
781 stars 130 forks source link

npm README #100

Closed zeg-io closed 5 years ago

zeg-io commented 5 years ago

The NPM readme for this module states there is a XSS vulnerability, however this readme is different, and the npm audit shows no vulnerabilities.

Was the issue resolved and just not republished to npm or is the issue still there but no longer in this readme?

pvorb commented 5 years ago

The vulnerability was fixed in 1.0.4. I removed the note about the vulnerability in 98dc28c7398fd8d7690dce8b930fda7f30f9af25. It's still on npm because there was no new release since that commit. Only releases <= 1.0.3 are marked to be vulnerable and would be found by npm audit.

Does that answer your question?

hiendv commented 5 years ago

@pvorb Pardon me, how is it "no new release since that commit"? The latest release is 2.1.2 but the npm's README is outdated?

pvorb commented 5 years ago

That commit was after the 2.1.2 release.

hiendv commented 5 years ago

Got it. I thought the commit's somewhere between 1.0.4 and 2.1.2 :rofl:

pvorb commented 5 years ago

Yeah, no worries. I had to revisit the commit history to make sure I wasn't wrong.

jayaddison commented 4 years ago

The text 'XSS Vulnerability Detected' appears on the npmjs page for clone at the moment, as part of the readme (just before the 'Installation' heading). Is that the same issue as reported here?

pvorb commented 4 years ago

Yes

gubo commented 3 years ago

hi ... may i ask what the xss vulnerability was due to, and what was the fix ? i cant seem to find the fix in the commits ... thanks much :)