Update js-beautify to avoid OWASP vulnerability report #142
Comments
|
OK, I've created #143 to fix this, but Snyk is failing it... can't see why? |
|
Thank you for this! Looks great!! Synk complains about https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1050875
I don't think there is another patched version available? In doubt, I think I rather use 1.14 instead of 1.9, I guess? |
|
Maybe I'm missing something, but I thought that was exactly the change I was proposing! Snyk however seemed to be failing my proposal because it was working on the master instead of the branch pull request I'd created! Anyway, yes, the change is to move to 1.14.7 (and from org.webjars.bower instead of org.webjars.npm). |
|
As far as I can understand it from Synk, this vulnerability applies to 1.14.7 as well. In any case, will merge it for now since using the newer version should be preferable over using the older one! |
|
New version released with https://github.com/javadelight/delight-nashorn-sandbox/releases/tag/0.3.2 But as said, could still be reporting the vulnerability! |
Currently, OWASP reports:
Updating to js-beautify 1.14.7 avoids this. I tried to do this as a Github pull request, but, between them, Github/Netbeans/Windows mess with the line endings. Github then refuses to ignore line endings when looking at changes (yes, I do have what is allegedly the correct setting in .gitattributes) so it looks like the whole file has changed.
Changes required:
pom.xml line 30 from:
to
and line 32 from:
to
JsSanitizer.java line 50 from:
to
The text was updated successfully, but these errors were encountered: