components icon indicating copy to clipboard operation
components copied to clipboard

Published 20 hours ago verified publisher icon serverless

CVE-2020-28502: xmlhttprequest-ssl-1.5.5.tgz

Open smeltofelderberries opened this issue 3 years ago • 3 comments

Vulnerability registered for nested dependency with xmlhttprequest-ssl-1.5.5. Upgrade to 1.7.0 should remediate.

I can work on the PR, but if someone gets it sooner, great.

Additional Data

Dependency map: @serverless/components-3.7.7.tgz

 -> platform-client-china-2.1.9.tgz

   -> utils-china-1.0.14.tgz

     -> socket.io-client-2.4.0.tgz

       -> engine.io-client-3.5.1.tgz

         -> xmlhttprequest-ssl-1.5.5.tgz

smeltofelderberries avatar Mar 24 '21 18:03 smeltofelderberries

There is an advisory for that: https://npmjs.com/advisories/1665.

flisboac avatar May 04 '21 23:05 flisboac

There is an issue in the utils-china package which seems to be related, and should fix the upstream dependency chain if resolved, as well. https://github.com/serverlessinc/utils-china/issues/73

KilleRBBC avatar May 05 '21 10:05 KilleRBBC

Relates to https://github.com/serverless/serverless/issues/9431

cschroedl-gov avatar May 07 '21 19:05 cschroedl-gov