-
Notifications
You must be signed in to change notification settings - Fork 842
Security vulnerabilities in dependency "jsrsasign" #743
Comments
Yes, I'd love to ditch it but I'm not getting a lot of support on the PR: #639. The author of jsrsasign indicated that his lib is not using the affected features. |
Closing. If you still have issues or find that the affected component is being used, feel free to reopen. |
@brockallen Retire.js still reports this vulnerability. Should I ignore it or was this issue fixed already in some version?
|
Same answer as before. |
Ok, I see. The library might not use the affected features but still our vulnerability scanner complains about it. As the YUI lib is affected by multiple CVE's, this is adding quite some noise on our security dashboard. Currently, there are 50+ warnings across our apps which we need to manually review and whitelist :( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5881 |
Eventually when I have time, I will work on a 2.0 that no longer uses that library. |
Also, I think their use of yui is just in their build tooling. |
Ey! I am having the same vulnerability on my projects. Will be any updates? |
@brockallen this problem still exists. I have installed oidc-client package via NPM and this vulnerable code snippet gets into build bundle, raising flags with security auditing tools. Are there plans for 2.0 without this dependency included? |
Once we remove implicit flow, yes. |
Hi,
we are using the oicd-client-js component in your SPA Application and one of our security scan reported a vulnerability because of YUI. YUI 2.9.0 seems to have some vulnerabilities, as reported here:
https://www.cvedetails.com/vulnerability-list/vendor_id-290/product_id-20206/version_id-137803/Yahoo-YUI-2.9.0.html
After investigation I see that this Issue is related to kjur/jsrsasign#140. Is there a way to remove / replace jsrsasign?
Thanks,
Daniel
The text was updated successfully, but these errors were encountered: