Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remediate High serialize-javascript vulnerability #620

Closed
Lilalamar opened this issue Jan 28, 2020 · 3 comments
Closed

Remediate High serialize-javascript vulnerability #620

Lilalamar opened this issue Jan 28, 2020 · 3 comments
Assignees
@MillenniumFalconMechanic @NoopDog
Labels
canary Done by the Clever Canary

Comments

@Lilalamar
Copy link

Snyk reports the following High severity vulnerability in HumanCellAtlas/data-portal. Please remediate by the end of Q1 Milestone 2.

Description
serialize-javascript

Suggested Remediation
Upgrade serialize-javascript to version 2.1.1 or higher.

Details
serialize-javascript is a package to serialize JavaScript to a superset of JSON that includes regular expressions and functions. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly sanitize against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash-escapes all forward slashes in regular expressions.
@Lilalamar Lilalamar added this to the Q1 2020 Milestone 2 milestone Jan 28, 2020
@github-actions github-actions bot added the canary Done by the Clever Canary label Jan 28, 2020
@NoopDog
Copy link
Collaborator

NoopDog commented Jan 28, 2020

@theathorn requesting permission to do security updates for the data-portal.

@NoopDog NoopDog assigned theathorn and unassigned NoopDog Jan 28, 2020
@theathorn theathorn assigned NoopDog and unassigned theathorn Jan 29, 2020
MillenniumFalconMechanic added a commit that referenced this issue Feb 7, 2020
@MillenniumFalconMechanic
Updated and locked down packages. Resolves #621. Resolves #620.
c8e0270
NoopDog pushed a commit that referenced this issue Feb 7, 2020
@MillenniumFalconMechanic @NoopDog
Updated and locked down packages. Resolves #621. Resolves #620.
14bc256
@NoopDog NoopDog closed this as completed Feb 10, 2020
@NoopDog
Copy link
Collaborator

NoopDog commented Feb 10, 2020

@Lilalamar the fix for this is deployed to prod. This should resolve the alert. Please re-open if you find this is still a problem. Cheers, D

@Lilalamar
Copy link
Author

@NoopDog thank you!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MillenniumFalconMechanic MillenniumFalconMechanic

@NoopDog NoopDog

Labels
canary Done by the Clever Canary
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MillenniumFalconMechanic @NoopDog @theathorn @Lilalamar