postman-collection icon indicating copy to clipboard operation
postman-collection copied to clipboard

Published 20 hours ago verified publisher icon postmanlabs

Update sanitize-html to remove the vulnerabilities

Open evansrobert opened this issue 3 years ago • 0 comments

Hi, @codenirvana,

Issue Description

When I build my project, I notice that vulnerability CVE-2021-26539, CVE-2021-26540, and SNYK-JS-SANITIZEHTML-585892 detected in package [email protected] is directly referenced by [email protected]. However, [email protected] is so popular that a large number of latest versions of active and popular downstream projects depend on it (44,096 downloads per week and about 93 downstream projects, e.g., @stoplight/http-spec 4.2.2, @stoplight/prism-cli 4.3.1, @open-wa/wa-automate 4.12.3, @stoplight/elements 7.0.6, postman-to-k6 1.5.0, etc.). In this case, the vulnerability CVE-2021-26539 can be propagated into these downstream projects and expose security threats to them. As you can see, [email protected] is introduced into the above projects via the following package dependency paths: (1)@open-wa/[email protected][email protected][email protected][email protected] ......

I know that it's kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade postman-collection from version 3.6.11 to (>=4.0.0): The projects such as postman-2-swagger, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade postman-collection nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerabilities from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 3.6.* for postman-collection on the above vulnerable dependency paths, if postman-collection removes the vulnerability from 3.6.11 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

In [email protected], maybe you can try to perform the following upgrade: sanitize-html 1.20.1 ➔ ^2.3.2;
Note: [email protected](>=2.3.2) has fixed the vulnerability CVE-2021-26539, CVE-2021-26540, and SNYK-JS-SANITIZEHTML-585892.

Thank you for your attention to this issue and welcome to share other ways to resolve the issue.^_^

evansrobert avatar Aug 12 '21 08:08 evansrobert