GitHub Security Alert #2
Comments
|
Thank you for this issue. But I'm confused. What are you reporting? Please write the expected behavior and the actual behavior. |
|
@gminova |
|
@SercanShortcut Case by case. If attackers can provide an arbitrary code that |
|
I'm closing as the question has been answered. Feel free to open a new issue if you have questions. |
|
Vulnerability is fixed in |
|
??? GHSA-3gx7-xhv7-5mx3 has been fixed already. The advisory was published after fixed. |
|
Sorry for the noise :( Yes indeed, it's fixed. I didn't read carefully the advisory GHSA-3gx7-xhv7-5mx3 that there is a patch release available. |
Remediation
Upgrade eslint-utils to version 1.4.1 or later. For example:
"dependencies": {
"eslint-utils": ">=1.4.1"
}
or…
"devDependencies": {
"eslint-utils": ">=1.4.1"
}
Always verify the validity and compatibility of suggestions with your codebase.
Details
GHSA-3gx7-xhv7-5mx3 More information
critical severity
Vulnerable versions: >= 1.2.0, < 1.4.1
Patched version: 1.4.1
'getStaticValue' function can execute arbitrary code
Impact
getStaticValue function can execute arbitrary code.
Patches
This problem has been patched in 1.4.1. Please update eslint-utils.
Workarounds
Don't use getStaticValue function, getStringIfConstant function, and getPropertyName function.
For more information
If you have any questions or comments about this advisory:
Open an issue in eslint-utils
The text was updated successfully, but these errors were encountered: