search

tea3 / hexo-related-popular-posts

A hexo plugin that generates a list of links to related posts and popular posts. Also , this plugin can get Visitor Counts (PV) on posts.
MIT License
109 stars 14 forks source link

Security problem #28

Open vioao opened 3 years ago

vioao commented 3 years ago

There are some security problems.

Below is the dependency

`-- hexo-related-popular-posts@4.0.0
  `-- ga-analytics@0.0.7
    `-- googleapis@1.1.5
      +-- gapitoken@0.1.5
      | `-- request@2.88.2
      `-- request@2.51.0

Below is the problem.

CVE-2017-16026 moderate severity Vulnerable versions: >= 2.49.0, < 2.68.0 Patched version: 2.68.0 Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

njzjz commented 3 years ago

Hi @tea3 , you can use https://dependabot.com/ to get some PRs automatically

Misaka13514 commented 3 years ago

Hi @tea3 , you can use https://dependabot.com/ to get some PRs automatically

Dependabot cannot update them to a non-vulnerable version