Critical vulnerability -> Chart.js library vulnerable to prototype polution.

Question

Critical vulnerability -> Chart.js library vulnerable to prototype polution.

Opened this issue 5 months ago · 1 comments

Wideyedwonderer commented 5 months ago

What are the steps to reproduce?

Install the latest version of node-red-dashboard as node_module
Go to dist/js/app.min.js
Search for "Chart.js"

What happens?

Version 2.3.0 is found. This library is listed with the following CRITICAL vulnerability in the NIST database: CVE-2020-7746

What do you expect to happen?

Version after 2.9.4 to be found.

Answer 1 · 2024-02-19T10:27:55.000Z

Yes - sadly the angular v1 dashboard uses some other libraries that are pinned to version 2.3 - so you can either rebuild the dashboard without the chart node - or look to move to the dashboard v2.