BotFramework-WebChat icon indicating copy to clipboard operation
BotFramework-WebChat copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Component Governance issues reported on Omnichannel ADO repos

Open charliewang95 opened this issue 3 years ago • 1 comments

Please view our Technical Support Guide before filing a new issue.

Screenshots

image image

Version

4.14.1

Describe the bug

Description The package nanoid before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Root dependencies for nanoid postcss 8.3.11 botframework-webchat 4.14.1

Recommendation Upgrade nanoid from 3.1.30 to 3.1.31 to fix the vulnerability.

Description Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.9.

Root dependencies for url-parse botframework-webchat 4.14.1

Recommendation Upgrade to version url-parse - 1.5.9

Steps to reproduce

N/A

Expected behavior

ADO doesn't generate these warnings for webchat packages

Additional context

[Bug]

charliewang95 avatar Feb 23 '22 22:02 charliewang95

This should be fixed in #4123, i.e. next release. Diff here.

image

compulim avatar Mar 01 '22 04:03 compulim