tangrams / tangram

WebGL map rendering engine for creative cartography
https://tangram.city
MIT License
2.22k stars 290 forks source link

High severity security vulnerabilities introduced by the js-yaml v3.5.3 Tangram fork #781

Open rokotyan opened 3 years ago

rokotyan commented 3 years ago

TANGRAM VERSION: Tangram version: 0.21.1 The js-yaml fork used in Tangram has high severity security vulnerabilities according to npm audit. That makes it difficult to use Tangram in any kind of enterprise product. Is it possible to update js-yaml to version 3.13.1 or later?

ENVIRONMENT: macOS 10.15.7

TO REPRODUCE THE ISSUE, FOLLOW THESE STEPS: Add Tangram as a dependency to your project. Run npm audit (or yarn audit)

RESULT:

js-yaml  <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813

EXPECTED RESULT: npm audit should not find vulnerabilities related to Tangram.

cluen commented 9 months ago

Any updates on this?