Contrib.social

Require ua-parser-js >= 0.7.30

Open on Drupal.org β†’
Created on 25 October 2021, over 3 years ago
Updated 5 August 2024, 9 months ago

Problem/Motivation

CISA issued an advisory [1] regarding malware found in a recent release (0.7.29) of the ua-parser.js NPM package. The yarn lockfile distributed with Lightning Scheduler points to version 0.7.17 of ua-parser.js, which is not compromised.

Proposed resolution

Although this does not currently constitute a security issue with the module, consider requiring version 0.7.30 or later of the package as a safeguard.

References

[1] https://us-cert.cisa.gov/ncas/current-activity/2021/10/22/malware-discov...

πŸ“Œ Task
Status

Closed: outdated

Version

1.3

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States jmcintyre

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 9 months ago β†’
    πŸ‡ΈπŸ‡°Slovakia kaszarobert

    Okay, valid reasons but since the whole JS build process uses a few years old unsupported packages, the whole thing need to be redone from scratch with current tools instead.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024