-
-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub Security Alert #2
Comments
Thank you for this issue. But I'm confused. What are you reporting? Please write the expected behavior and the actual behavior. |
@gminova |
@SercanShortcut Case by case. If attackers can provide an arbitrary code that |
I'm closing as the question has been answered. Feel free to open a new issue if you have questions. |
Vulnerability is fixed in |
??? GHSA-3gx7-xhv7-5mx3 has been fixed already. The advisory was published after fixed. |
Sorry for the noise :( Yes indeed, it's fixed. I didn't read carefully the advisory GHSA-3gx7-xhv7-5mx3 that there is a patch release available. |
Remediation
Upgrade eslint-utils to version 1.4.1 or later. For example:
"dependencies": {
"eslint-utils": ">=1.4.1"
}
or…
"devDependencies": {
"eslint-utils": ">=1.4.1"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
GHSA-3gx7-xhv7-5mx3 More information
critical severity
Vulnerable versions: >= 1.2.0, < 1.4.1
Patched version: 1.4.1
'getStaticValue' function can execute arbitrary code
Impact
getStaticValue function can execute arbitrary code.
Patches
This problem has been patched in 1.4.1. Please update eslint-utils.
Workarounds
Don't use getStaticValue function, getStringIfConstant function, and getPropertyName function.
For more information
If you have any questions or comments about this advisory:
Open an issue in eslint-utils
The text was updated successfully, but these errors were encountered: