Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update webpack-dev-server and react-dom #159

merged 1 commit into from Jan 10, 2019


Copy link

danielcaldas commented Jan 10, 2019

CVE-2018-6341 react-dom

low severity
Vulnerable versions: >= 16.4.0, < 16.4.2
Patched version: 16.4.2
React applications which rendered to HTML using the ReactDOMServer API were not escaping user-supplied attribute names at render-time. That lack of escaping could lead to a cross-site scripting vulnerability. This vulnerability can only affect some server-rendered React apps. Purely client-rendered apps are not affected.

This issue affected minor releases 16.0.x, 16.1.x, 16.2.x, 16.3.x, and 16.4.x. It was fixed in 16.0.1, 16.1.2, 16.2.1, 16.3.3, and 16.4.2.

CVE-2018-14732 webpack-dev-server

low severity
Vulnerable versions: < 3.1.11
Patched version: 3.1.11
An issue was discovered in lib/Server.js in webpack-dev-server before 3.1.11. Attackers are able to steal developer's code because the origin of requests is not checked by the WebSocket server, which is used for HMR (Hot Module Replacement). Anyone can receive the HMR message sent by the WebSocket server via a ws:// connection from any origin.

@danielcaldas danielcaldas merged commit 520d2bd into master Jan 10, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
@danielcaldas danielcaldas deleted the fix/update-dependencies-vulnerabilities branch Jan 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.