search

skrapeit / skrape.it

A Kotlin-based testing/scraping/parsing library providing the ability to analyze and extract data from HTML (server & client-side rendered). It places particular emphasis on ease of use and a high level of readability by providing an intuitive DSL. It aims to be a testing lib, but can also be used to scrape websites in a convenient fashion.
https://docs.skrape.it
MIT License
790 stars 57 forks source link

[BUG] security vulnerabilities in libraries #241

Open Lastaapps opened 2 months ago

Lastaapps commented 2 months ago

Describe the bug Hi, I just included the version 1.3.0-alpha.2 skrape.it into my project, and IntelliJ reports that the package depends on vulnerable versions of quite a few libraries. When I try version 1.2.2, it's the same. I don't say that users of this library are directly vulnerable, but it's suspicious at least. All the vulnerabilities have quite a high score, so it would make sense just to make 1.2.3 release just with these libs bumped. Thanks for the great project!

image

All the vulnerabilities reported by IntelliJ

Lastaapps commented 2 months ago

A potential fix for anyone reading this is to just update the libraries on your side, this should be safe.

    implementation("ch.qos.logback:logback-core:1.4.12")
    implementation("ch.qos.logback:logback-classic:1.4.12")
    implementation("commons-net:commons-net:3.9.0")
    implementation("org.apache.commons:commons-text:1.10.0")
    implementation("org.jsoup:jsoup:1.15.3")
    implementation("xalan:xalan:2.7.3")