lighthouse-ci icon indicating copy to clipboard operation
lighthouse-ci copied to clipboard
verified publisher icon GoogleChrome

Version 0.14.0 Vulnerabilities

Open Elte156 opened this issue 1 year ago • 3 comments

Describe the bug

Currently, @lhci/cli 0.14.0 has a number of vulnerabilities

Here is one we identified:

https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060

Issues with no direct upgrade or patch:
  ✗ Cross-site Scripting (XSS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JS-COOKIE-8163060] in [email protected]
    introduced by @lhci/[email protected] > [email protected] > [email protected] and 7 other path(s)
  This issue was fixed in versions: 0.7.0

Elte156 avatar Oct 09 '24 15:10 Elte156

I think I came across something similar in a few of my repositories.

@lhci/[email protected] requires cookie@^0.4.1 via a transitive dependency on @sentry/[email protected]
@lhci/[email protected] requires [email protected] via a transitive dependency on [email protected]

hamirmahal avatar Oct 13 '24 22:10 hamirmahal

For what it's worth, it looks like express fixed this with https://github.com/expressjs/express/pull/6029.

hamirmahal avatar Oct 15 '24 23:10 hamirmahal

Related: https://github.com/GoogleChrome/lighthouse-ci/issues/1058

sdavids avatar Dec 06 '24 11:12 sdavids