search

upsetjs / upsetjs

😠 UpSet.js - a set visualization library for rendering UpSet Plots (a JavaScript re-implementation of UpSet(R) by Lex et al), Euler Diagrams, Venn Diagrams, and Karnaugh Maps
https://upset.js.org
Other
129 stars 16 forks source link

rollup CVE #139

Open doug-numetric opened 1 month ago

doug-numetric commented 1 month ago

When I install the latest @upsetjs/venn.js Githb complains about a rollup security advisory https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm

To Reproduce

npm i @upsetjs/venn.js@1.4.2

1.

Expected behavior

Most recent version free from security advisories

Screenshots

Context

Additional context

It's a transitive devDependency and I'm not sure if the advisory is even exploitable in apps that just use @upsetjs/venn.js. From reading the advisory, it seems that it's possible that the rollup built artifacts pushed to NPM may contain the vulnerability.

doug-numetric commented 1 month ago

I'm pretty sure that the vulnerable code in rollup is not utilized by @upsetjs/venn.js. Searching for currentScript or typeof document yields no results. Might be nice to update your rollup dependency all the same or remove it from the pacakge.json in the npm published build https://socket.dev/npm/package/@upsetjs/venn.js/files/1.4.2/package.json#L78