URI.js dependency security update #1297
Comments
|
Thanks for opening the issue @solomchuk ! You are right, we are depending on a very old version of URI.js. I did some digging of the codebase trying to find out what we are using this library for, and the conclusion was a bit surprising - apparently it's not being used at all 😳 Although the script The dependency was added a very long time, before we switched to Git and GitHub for version control in 2015, so I cannot trace back the commits related to this dependency. It's possible that it was used in the past in JS code, but then the calling code was rewritten to not use it anymore but we forgot to drop the dependency. From a security perspective this is good news, since code that is not being called at all is unlikely to cause any security issues. In my understanding, and the security problems, at least the CVE you mention, are related to parsing of the URI string given to the class. I briefly tested using Skosmos without the afore mentioned |
|
Thanks @osma, this is good news! While looking for a workaround for this, I also found this note from URI.js maintainer:
Perhaps this could be the reason you dropped the use of this library 🙂 |
Skosmos/composer.json
Line 72 in 31f430b
Our client recently performed a security scan on their instance of Skosmos, and flagged up (among other things) that the URI.js library version v1.19.0 has a known vulnerability, CVE-2021-3647. This is fixed in v1.19.7, and the latest is v1.19.11. In fact, most of the changes in URI.js between versions 1.19.0 and 1.19.11 are flagged as security fixes.
As a workaround for now, in our Docker builds we will be using a modified composer.json file with URI.js version set to 1.19.11. Would this version update be feasible in the baseline Skosmos repo?
The text was updated successfully, but these errors were encountered: