Closed zeg-io closed 5 years ago
The vulnerability was fixed in 1.0.4. I removed the note about the vulnerability in 98dc28c7398fd8d7690dce8b930fda7f30f9af25. It's still on npm because there was no new release since that commit. Only releases <= 1.0.3 are marked to be vulnerable and would be found by npm audit
.
Does that answer your question?
@pvorb Pardon me, how is it "no new release since that commit"? The latest release is 2.1.2 but the npm's README is outdated?
That commit was after the 2.1.2 release.
Got it. I thought the commit's somewhere between 1.0.4 and 2.1.2 :rofl:
Yeah, no worries. I had to revisit the commit history to make sure I wasn't wrong.
The text 'XSS Vulnerability Detected' appears on the npmjs page for clone
at the moment, as part of the readme (just before the 'Installation' heading). Is that the same issue as reported here?
Yes
hi ... may i ask what the xss vulnerability was due to, and what was the fix ? i cant seem to find the fix in the commits ... thanks much :)
The NPM readme for this module states there is a XSS vulnerability, however this readme is different, and the
npm audit
shows no vulnerabilities.Was the issue resolved and just not republished to npm or is the issue still there but no longer in this readme?