Closed RChutchev closed 1 month ago
RChutchev
commented
1 month ago That's so easy to fix this CVE because that will be absolutely the same changes, see here: https://github.com/RChutchev/filament-excel/tree/ver.1.1.14
I'm unable to merge or propose these changes to your repo b/c no branch with 1.1.13 ver which is last available for Filament 2.
FYI: the last commit in ver. 1.1.13 is 771952cfb26a79fc3da0cf78c916188ccf893dcd
RChutchev
commented
1 month ago @pxlrbt, could you please participate? It's required to create a branch for old Filament 2 in your repo to fix this bug.
RChutchev
commented
1 month ago That's so easy to fix this CVE because that will be absolutely the same changes, see here: https://github.com/RChutchev/filament-excel/tree/ver.1.1.14
I'm unable to merge or propose these changes to your repo b/c no branch with 1.1.13 ver which is last available for Filament 2.
FYI: the last commit in ver. 1.1.13 is 771952c
pxlrbt
commented
1 month ago Can this CVE be fixed in the new 1.1.14 version for backward compatibility?
Sorry, didn't think about v1.x anymore, because I am not using it, but make sense as it's an easy fix. I created a 1.x branch and released v1.1.14.
@pxlrbt, could you please participate?
Yes. But please give me more than 24h to respond. This is still open source ;)
RChutchev
commented
1 month ago Can this CVE be fixed in the new 1.1.14 version for backward compatibility?
Sorry, didn't think about v1.x anymore, because I am not using it, but make sense as it's an easy fix. I created a 1.x branch and released v1.1.14.
@pxlrbt, could you please participate?
Yes. But please give me more than 24h to respond. This is still open source ;)
Thank you so much, sorry, yep, I tagged you because a lot of people here in GitHub didn't take a look at Issus for months, before tagging personally. Next time I'll create an issue if required and tag you after 24 hours if no response
RChutchev
commented
1 month ago And, one more question, could you please update CVE info https://github.com/pxlrbt/filament-excel/security/advisories/GHSA-m3px-vjxr-fx4m?
In part of "Patched versions", also add 1.1.14.
Otherwise, we still have notification from Dependabot via GitHub and the same info via Packagist.
pxlrbt
commented
1 month ago I updated it on GitHub, but seems like I cannot update the CVE and therefore not the Packagist warning.
pxlrbt
commented
1 month ago I tried submitting an update to the CVE. Not sure whether it worked though.
We have installed filament-excel for Filament v.2 which now we're unable to upgrade to ver. 3 for some reason. The last available Filament-excel version for Filament 2 is 1.1.13, but this version is vulnerable. Can this CVE be fixed in the new 1.1.14 version for backward compatibility?