search

xdan / jodit

Jodit - Best WYSIWYG Editor for You
https://xdsoft.net/jodit/
MIT License
1.66k stars 351 forks source link

Dependabot reported issues with dependencies #776

Closed WendtWithers closed 2 years ago

WendtWithers commented 2 years ago

Jodit Version: 3.10.2

Browser: Any OS: Any Is React App: False

Code

// Dependabot reports issues with 5 packages in package-lock.json: nanoid, log4js, follow-redirects, node-forge, trim
// Two of those (follow-redirects and trim) are high severity, the rest are moderate
// See attached file

Expected behavior: No dependabot issues

Actual behavior: Capture

Remediation Suggested: Upgrade nanoid to version 3.1.31 or later Upgrade log4js to version 6.4.0 or later Upgrade follow-redirects to version 1.14.7 or later Upgrade node-forge to version 1.0.0 or later Upgrade trim to version 0.0.3 or later

WendtWithers commented 2 years ago

By the way, the image says 3.9.6, but the same old dependency versions are still in version 3.10.2

xdan commented 2 years ago

Try latest 3.13.2 please

WendtWithers commented 2 years ago

Better, but now I get another "moderate severity" complaint about postcss: Upgrade postcss to version 8.2.13 or later. Here's the CVE description (https://github.com/advisories/GHSA-566m-qj78-rww5):

The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern /\s sourceMappingURL=(.*).