Sam Reed

Though, https://packagist.org/packages/zendframework/zendservice-apple-apns and https://packagist.org/packages/zendframework/zendservice-apple-apns are both abandoned....

A year has passed, and it seems flasgger is still running the same version of swagger-ui. It has been reasonably well documented (for around a year) that an XSS exists...

Ping @billyrrr for visibility.

Taking https://github.com/flasgger/flasgger#externally-loading-swagger-ui-and-jquery-jscss as an example, it is "easy" enough to upgrade the version of swagger-ui being used by overriding it in config. ``` swagger_config = Swagger.DEFAULT_CONFIG swagger_config['swagger_ui_bundle_js'] = '//unpkg.com/swagger-ui-dist@3/swagger-ui-bundle.js' swagger_config['swagger_ui_standalone_preset_js']...

I mean, I could write a script myself (basically download, extract and copy)... but that's why I filed https://github.com/flasgger/flasgger/issues/576 for doing the node package management properly because in exactly the...

The absolute MVP for verifying what I've done... cd to your flasgger dir. checkout https://github.com/flasgger/flasgger/pull/578, then ``` cd flasgger/ui3/static wget https://registry.npmjs.org/swagger-ui-dist/-/swagger-ui-dist-3.52.5.tgz tar -xvf swagger-ui-dist-3.52.5.tgz cp package/favicon-* . cp package/swagger-ui.css* ....

Script added (designed to be run from repo root) in parent patch, using current commited version... Updated the version in the patch that I've updated the library... ``` $ ./scripts/loadswaggerui.sh...

Hang on, I've just noticed https://github.com/flasgger/flasgger/blob/master/Makefile#L37-L38 ``` # Updates swagger_ui_dist files # Need to manually remove extra files added by this command upgrade_swagger_ui: @tar --strip-components 1 -C flasgger/ui3/static/ -xvf `npm...

Updated the Makefile in the amended commit... I think that works for the scripting/"proof"

Guess we should test this in dev... But don't have acces to the server logs...