Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Moderate vulnerability in @refinedev/[email protected] #6321

Open
bombillazo opened this issue Sep 11, 2024 · 2 comments · May be fixed by #6354
Open

[BUG] Moderate vulnerability in @refinedev/[email protected] #6321

bombillazo opened this issue Sep 11, 2024 · 2 comments · May be fixed by #6354
Assignees
@arndom
Labels
bug Something isn't working
Milestone
October Release

Comments

@bombillazo
Copy link
Contributor

Describe the bug

There is a moderate vulnerability on @refinedev/[email protected]

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install @refinedev/[email protected], which is a breaking change
node_modules/serve-static/node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static
    express  4.0.0-rc1 - 5.0.0-beta.3
    Depends on vulnerable versions of serve-static
    node_modules/express
      @refinedev/cli  >=2.5.4
      Depends on vulnerable versions of @refinedev/devtools-server
      Depends on vulnerable versions of express
      node_modules/@refinedev/cli
      @refinedev/devtools-server  *
      Depends on vulnerable versions of express
      node_modules/@refinedev/devtools-server

Steps To Reproduce

N/A

Expected behavior

No vulnerability is present, use updated package

Packages

  • @refinedev/cli

Additional Context

No response
@bombillazo bombillazo added the bug Something isn't working label Sep 11, 2024
@aliemir
Copy link
Member

aliemir commented Sep 12, 2024

Hey @bombillazo thank you for reporting! Looks like serve-static just had a bump to fix the vulnerability and express also had a release 10 hours ago with the fixed version (Check out [email protected]) We don't pin the express version in @refinedev/cli and @refinedev/devtools-server so having a clean install without a lock file may upgrade it to latest. 🚀

Still, we can upgrade the version number to the fixed version in our package.json files. Would you like to work on this? We'd love to see your PR 🙏

@aliemir aliemir added this to the October Release milestone Sep 12, 2024
@arndom
Copy link

arndom commented Sep 17, 2024

@bombillazo can I work on this if you're unavailable

@arndom arndom linked a pull request Sep 18, 2024 that will close this issue
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arndom arndom

Labels
bug Something isn't working
Projects
None yet
Milestone
October Release
Development

Successfully merging a pull request may close this issue.

fix(cli): bump express to ^4.21.0 arndom/refine
3 participants
@aliemir @arndom @bombillazo