Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue with happy-dom dependency #312

Closed
allencwang opened this issue Nov 9, 2024 · 5 comments · Fixed by #320
Closed

Security issue with happy-dom dependency #312

allencwang opened this issue Nov 9, 2024 · 5 comments · Fixed by #320
Assignees
@brijeshb42
Labels
dependencies Update of dependencies security Pull requests that address a security vulnerability

Comments

@allencwang
Copy link

allencwang commented Nov 9, 2024
edited by oliviertassinari
Loading

There is a security risk with happy-dom library that allows for server side code to be executed with a <script> tag capricorn86/happy-dom#1585. This was patched in version [email protected] but pigment-css is 3 majors versions behind at 12.10.3.

is it possible to update the library version?

GHSA-96g7-g7g9-jxw8

Search keywords:
@github-actions github-actions bot added the status: waiting for maintainer These issues haven't been looked at yet by a maintainer label Nov 9, 2024
@zannager zannager added the dependencies Update of dependencies label Nov 11, 2024
@brijeshb42
Copy link
Contributor

brijeshb42 commented Nov 11, 2024
edited by oliviertassinari
Loading

We'll wait for wyw-in-js release with Anber/wyw-in-js#111 before bumping the dependency here.

@brijeshb42 brijeshb42 mentioned this issue Nov 12, 2024
Merged
1 task
@allencwang
Copy link
Author

Hi there, wondering if there is an expected timeline for this @brijeshb42 since the PR is merged

@oliviertassinari oliviertassinari added security Pull requests that address a security vulnerability and removed status: waiting for maintainer These issues haven't been looked at yet by a maintainer labels Nov 13, 2024
@oliviertassinari
Copy link
Member

oliviertassinari commented Nov 13, 2024
edited
Loading

@allencwang We have created #320.

@brijeshb42 I'm removing the status: waiting for maintainer label as you already triaged this one. Effectively, the use of this label is to be able to not miss a single issue by knowing which one was triaged vs. wasn't https://github.com/mui/pigment-css/issues?q=is%3Aissue+is%3Aopen+label%3A%22status%3A+waiting+for+maintainer%22.

@github-actions GitHub Actions
Copy link

This issue has been closed. If you have a similar problem but not exactly the same, please open a new issue.
Now, if you have additional information related to this issue or things that could help future readers, feel free to leave a comment.

Note

@allencwang How did we do? Your experience with our support team matters to us. If you have a moment, please share your thoughts in this short Support Satisfaction survey.

@brijeshb42
Copy link
Contributor

Published new version 0.0.27.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brijeshb42 brijeshb42

Labels
dependencies Update of dependencies security Pull requests that address a security vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[react] Bump wyw versions brijeshb42/pigment-css
4 participants
@brijeshb42 @oliviertassinari @allencwang @zannager