search

shorwood / strapi-provider-upload-do

Strapi Upload Provider for Digital Ocean Spaces. This provider will upload to the space using the AWS S3 API.
MIT License
59 stars 32 forks source link

chore: Upgraded urijs & aws-sdk #19

Closed snappytux closed 10 months ago

snappytux commented 1 year ago

I use dependency-scan and it worked out like this.

urijs

urijs  <=1.19.10
Severity: high
Incorrect protocol extraction via \r, \n and \t characters - https://github.com/advisories/GHSA-3vjf-82ff-p4r3
URL Confusion When Scheme Not Supplied in medialize/uri.js - https://github.com/advisories/GHSA-g694-m8vq-gv9h
Hostname spoofing via backslashes in URL  - https://github.com/advisories/GHSA-89gv-h8wf-cg8r
Open Redirect in urijs - https://github.com/advisories/GHSA-8h2f-7jc4-7m3m
Leading white space bypasses protocol validation - https://github.com/advisories/GHSA-gmv4-r438-p67f
Authorization Bypass Through User-Controlled Key in urijs - https://github.com/advisories/GHSA-gcv8-gh4r-25x6

xml2js

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install aws-sdk@2.1418.0, which is outside the stated dependency range
node_modules/xml2js
  aws-sdk  <=2.1353.0
  Depends on vulnerable versions of xml2js
  node_modules/aws-sdk
bobvork commented 10 months ago

I would love for this to get merged

shorwood commented 10 months ago

Thanks for this PR !