Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Warning for sanitize-html dependency #5137

Open
pelanzag opened this issue Apr 17, 2024 · 1 comment
Open

Warning for sanitize-html dependency #5137

pelanzag opened this issue Apr 17, 2024 · 1 comment
Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Required for internal Azure reporting. Do not delete.

Comments

@pelanzag
Copy link

Is it an issue related to Adaptive Cards?

No

Is this an accessibility issue?

No

What version of Web Chat are you using?

Latest production

Which distribution are you using Web Chat from?

Bundle (webchat.js)

Which hosting environment does this issue primarily affect?

Web apps

Which browsers and platforms do the issue happened?

No response

Which area does this issue affect?

Others or unrelated

What is the public URL for the website?

No response

Please describe the bug

There's a moderate vulnerability on the dependency sanitize-html as detailed at NIST CVE-2024-21501

sanitize-html  <2.12.1
Severity: moderate
sanitize-html Information Exposure vulnerability - https://github.com/advisories/GHSA-rm97-x556-q36h
fix available via `npm audit fix --force`
Will install botframework-webchat@0.15.0, which is a breaking change
node_modules/sanitize-html
  botframework-webchat  >=0.15.1-master.aeca50e
  Depends on vulnerable versions of sanitize-html
  node_modules/botframework-webchat

Can you please bump sanitize-html to the latest version?

Do you see any errors in console log?

sanitize-html  <2.12.1
Severity: moderate
sanitize-html Information Exposure vulnerability - https://github.com/advisories/GHSA-rm97-x556-q36h
fix available via `npm audit fix --force`
Will install botframework-webchat@0.15.0, which is a breaking change
node_modules/sanitize-html
  botframework-webchat  >=0.15.1-master.aeca50e
  Depends on vulnerable versions of sanitize-html
  node_modules/botframework-webchat


### How to reproduce the issue?

1. Navigate to root dir.
2. Run `npm audit fix`


### What do you expect?

I expect there to be no issues when running `npm audit fix`

### What actually happened?

I'm getting a warning when running `npm audit fix`


### Do you have any screenshots or recordings to repro the issue?

_No response_

### Adaptive Card JSON

_No response_

### Additional context

_No response_
@pelanzag pelanzag added Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Required for internal Azure reporting. Do not delete. labels Apr 17, 2024
@OEvgeny
Copy link
Collaborator

OEvgeny commented Apr 26, 2024

@compulim any idea why dependabot didn't report this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Required for internal Azure reporting. Do not delete.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@OEvgeny @pelanzag