npm README

Question

npm README

Closed this issue 6 years ago · 8 comments

The NPM readme for this module states there is a XSS vulnerability, however this readme is different, and the npm audit shows no vulnerabilities.

Was the issue resolved and just not republished to npm or is the issue still there but no longer in this readme?

pvorb commented 4 years ago

Yes

Answer 1 · 2018-12-19T07:21:28.000Z

The vulnerability was fixed in 1.0.4. I removed the note about the vulnerability in 98dc28c. It's still on npm because there was no new release since that commit. Only releases <= 1.0.3 are marked to be vulnerable and would be found by npm audit.

Does that answer your question?

Answer 2 · 2019-09-25T04:23:24.000Z

@pvorb Pardon me, how is it "no new release since that commit"? The latest release is 2.1.2 but the npm's README is outdated?

Answer 3 · 2019-09-25T08:37:15.000Z

That commit was after the 2.1.2 release.

Answer 4 · 2019-09-25T08:40:10.000Z

Got it. I thought the commit's somewhere between 1.0.4 and 2.1.2 🤣

Answer 5 · 2019-09-25T20:25:30.000Z

Yeah, no worries. I had to revisit the commit history to make sure I wasn't wrong.

Answer 6 · 2020-07-17T11:48:09.000Z

The text 'XSS Vulnerability Detected' appears on the npmjs page for clone at the moment, as part of the readme (just before the 'Installation' heading). Is that the same issue as reported here?

Answer 7 · 2021-02-26T00:42:38.000Z

hi ... may i ask what the xss vulnerability was due to, and what was the fix ? i cant seem to find the fix in the commits ...
thanks much :)