search

saurabhnemade / react-twitter-embed

Simplest way to add twitter widgets to your react project.
https://saurabhnemade.github.io/react-twitter-embed/
367 stars 66 forks source link

`script.js` dependency causes security check failure #54

Open sfuerte opened 4 years ago

sfuerte commented 4 years ago

Looks like the subject dependency (https://github.com/ded/script.js) hasn't been maintained anymore; last commit on on Oct 1, 2018.

Retire.js shows known vulnerabilities for 3rd-party libs:

> retire
retire.js v2.0.3
Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json ...
Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json ...
..../node_modules/scriptjs/vendor/jquery.js
 ↳ jquery 1.5.2
jquery 1.5.2 has known vulnerabilities: severity: medium; CVE: CVE-2011-4969, summary: XSS with location.hash; https://nvd.nist.gov/vuln/detail/CVE-2011-4969 http://research.insecurelabs.org/jquery/test/ https://bugs.jquery.com/ticket/9521 severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b

..../node_modules/scriptjs/vendor/yui-utilities.js
 ↳ YUI 2.8.2r1
YUI 2.8.2r1 has known vulnerabilities: severity: high; CVE: CVE-2012-5882; http://www.cvedetails.com/cve/CVE-2012-5882/ severity: high; CVE: CVE-2012-5881; http://www.cvedetails.com/cve/CVE-2012-5881/ severity: medium; CVE: CVE-2010-4710; http://www.cvedetails.com/cve/CVE-2010-4710/ severity: high; CVE: CVE-2010-4208; http://www.cvedetails.com/cve/CVE-2010-4208/ severity: high; CVE: CVE-2010-4207; http://www.cvedetails.com/cve/CVE-2010-4207/

react-twitter-embed dependency on script.js: https://github.com/saurabhnemade/react-twitter-embed/blob/fe4fbd4779621434a36213144576a3d5ec143a9e/package.json#L104

├┬ react-twitter-embed@3.0.3
.....
│ └── scriptjs@2.5.9
...

Is it possible NOT to use script.js completely?