- Issue created by @Anwoon
- Status changed to Needs review
over 1 year ago 3:48pm 12 September 2023 - Status changed to Needs work
10 months ago 7:21am 24 April 2024 - 🇮🇳India rajeevgole
I tested the #3 patch. There are vulnerabilities(Critical, Medium) left in the below libraries after implementing the patch.
- @babel/traverse
- PostCSS
- node-tar
- 🇮🇳India vipul tulse
Latest patch to resolve the
------------------------------
json5 Prototype Pollution
VULNERABILITY
CWE-1321OPEN THIS LINK IN A NEW TAB
CVE-2022-46175OPEN THIS LINK IN A NEW TAB
CVSS 6.4OPEN THIS LINK IN A NEW TAB MEDIUM
SNYK-JS-JSON5-3182856
------------------------------
loader-utils Prototype Pollution
VULNERABILITY
CWE-1321OPEN THIS LINK IN A NEW TAB
CVE-2022-37601OPEN THIS LINK IN A NEW TAB
CVSS 7.5OPEN THIS LINK IN A NEW TAB HIGH
SNYK-JS-LOADERUTILS-3043105
------------------------------
loader-utils Regular Expression Denial of Service (ReDoS)
VULNERABILITY
CWE-1333OPEN THIS LINK IN A NEW TAB
CVE-2022-37599OPEN THIS LINK IN A NEW TAB
CVSS 5.3OPEN THIS LINK IN A NEW TAB MEDIUM
SNYK-JS-LOADERUTILS-3042992
------------------------------loader-utils Regular Expression Denial of Service (ReDoS)
VULNERABILITY
CWE-1333OPEN THIS LINK IN A NEW TAB
CVE-2022-37603OPEN THIS LINK IN A NEW TAB
CVSS 5.3OPEN THIS LINK IN A NEW TAB MEDIUM
SNYK-JS-LOADERUTILS-3105943
------------------------------ - 🇮🇳India vipul tulse
Please ignore the above patch, which has issues.
Updated packages and yarn run build
Tested after upgrade build looks goodAdded below override dependencies.
"resolutions": {
"raw-loader/loader-utils": "2.0.4",
"raw-loader/json5": "2.2.2",
"@ckeditor/ckeditor5-dev-utils/del/globby/glob": "10.3.16",
"@ckeditor/ckeditor5-dev-utils/del/rimraf/glob": "10.3.16",
"@ckeditor/ckeditor5-dev-utils/@ckeditor/ckeditor5-dev-translations/rimraf/glob": "10.3.16",
"@ckeditor/ckeditor5-dev-utils/terser-webpack-plugin/serialize-javascript": "6.0.2",
"@ckeditor/ckeditor5-dev-utils/shelljs/glob": "10.3.16",
"@ckeditor/ckeditor5-dev-utils/terser-webpack-plugin/cacache/glob": "10.3.16"
} - 🇮🇳India dev16.addweb
silvi.addweb → made their first commit to this issue’s fork.
- Status changed to Needs review
7 months ago 12:26pm 23 July 2024 - 🇮🇳India sachintyagi99
Latest version security fix patch and included fix for https://www.drupal.org/project/editor_advanced_link/issues/3400107 🐛 Under certain conditions, the attributes of the last modified link are displayed by default when editing another link Active
Automatically closed - issue fixed for 2 weeks with no activity.