New Security Vulnarability is detected in the library CVE-2021-23346

rayd / html-parse-stringify2

Parses well-formed HTML (meaning all tags closed) into an AST and back. quickly.

21 stars 11 forks source link

New Security Vulnarability is detected in the library CVE-2021-23346 #28

Closed pavanjava closed 1 month ago

pavanjava commented 3 years ago

Hi Team, the html-parse-stringify2 is a transitive dependency and the latest version available is 2.0.1 and there is a CVE-2021-23346 detected in the latest version. is this library activly maintained ?? if yes is any one actively looking into it.

SeinopSys commented 3 years ago

Considering the latest publish was nearly half a decade ago I would suggest you look into the original package which this is a fork of, html-parse-stringify. If you are depending on this transitively through react-i18next there's already some progress on replacing this package with it here: i18next/react-i18next#1283

pavanjava commented 3 years ago

@SeinopSys : thanks for the clarification will check at the react-i18next and the html-parse-stringify directly.

modestfake commented 3 years ago

@rayd have all of the fixes that were introduced in this fork been merged into the original repository? If so, could you please add a note to the README.md to advise using the original repo instead?