Skip to content

Security: JS-yaml #1845

New issue
New issue
Closed
Closed
Security: JS-yaml#1845
Labels
complexity: easyEasy complexitycontribution welcomeContributions welcomegood first issueGood for newcomerspriority: mediumMedium priority issue
@pmespresso

Description

@pmespresso
pmespresso
opened on Sep 9, 2019
  • I confirm that this is an issue rather than a question.

Bug report

Steps to reproduce

What is expected?

js-yaml should be version higher than 1.13.1

What is actually happening?

it is not and it is a security vulnerability.

nodeca/js-yaml#475
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

nodeca/js-yaml#480
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

vuepress/packages/@vuepress/core/package.json

Line 49 in e5d8ed4

"js-yaml": "^3.11.0",

Other relevant information

  • found this from Github's automatic security report on a project that has a dependency that has a dependency that has a dependency that uses vuepress...

Metadata

Metadata

Assignees

No one assigned

    Labels

    complexity: easyEasy complexitycontribution welcomeContributions welcomegood first issueGood for newcomerspriority: mediumMedium priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions