search

surma / rollup-plugin-off-main-thread

Use Rollup with workers and ES6 modules today.
Apache License 2.0
308 stars 32 forks source link

CVE-2023-29827 #56

Open kraison1 opened 1 year ago

kraison1 commented 1 year ago

Ref nvd: https://nvd.nist.gov/vuln/detail/CVE-2023-29827

Dependency Path: react-scripts (5.0.1) -> workbox-build (6.6.0) -> @surma/rollup-plugin-off-main-thread (2.2.3) -> ejs(3.1.9)

Img nvd Screen-Shot-2566-06-26-at-11.40.097f8bd4d89d054c96.png

Img black duck Screen-Shot-2566-06-26-at-11.23.03.png

Prozect2024 commented 1 month ago

Dear Maintainer's/Project Team,

I am writing to inform you about a security vulnerability in the EJS template engine (version 3.1.10) that affects your project via transitive dependencies. Specifically, the vulnerability is present in surma/rollup-plugin-off-main-thread v2.2.3, which is a dependency of workbox-build v7.1.0 and workbox-webpack-plugin v7.1.0.

Given the potential security risks associated with this vulnerability, I would like to request an update to your project that removes or replaces the vulnerable dependency. A possible solution could be updating to a non-vulnerable version of EJS (3.1.11 or later) or switching to an alternative templating engine if feasible.

Addressing this issue would help ensure that projects depending on your library can maintain security best practices. Please let me know if there are any plans to release an update or if there are workarounds that can be implemented in the meantime.

Thank you for your attention to this matter and for your continued work on this important project.

Best regards, Kate