swagger-ui-dist dependency with vulnerability at version 3.38.0 - Githubissues

scottie1984 / swagger-ui-express

Adds middleware to your express app to serve the Swagger UI bound to your Swagger document. This acts as living documentation for your API hosted from within your app.

MIT License

1.42k stars 225 forks source link

swagger-ui-dist dependency with vulnerability at version 3.38.0 #234

Closed thaiscpaz closed 2 years ago

thaiscpaz commented 3 years ago

Good to know:

Method of installation: npm
swagger-ui-express@4.1.6 └─┬ swagger-ui-dist version@3.38.0

Description

While running an application through a CI pipeline, a step that runs the dependency vulnerability check, raised the following issue:

Filename: swagger-ui-dist:3.38.0 | Highest CVSS Score: 6.1 | Amount of CVSS: 1 | References: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (6.1)

CWE-79 description

To reproduce

Run dependency-check cli vulnerability tool in any project that has swagger-ui-dist as dependency: $ dependency-check --scan <path to project>

Expected behavior

No vulnerabilities reported.

scottie1984 commented 3 years ago

I would suggest opening this issue with the swagger-ui team https://github.com/swagger-api/swagger-ui.