Fix the vulnerability caused by swagger-ui
jannyHou opened this issue · 5 comments
Description
See PR #253, the vulnerability report requires an upgrade from swagger-ui@2.x
to swagger-ui@3.x
.
There is breaking change in swagger-ui@3.x to support OpenAPI 3.0.0. We need to
- Figure out what's the effort to upgrade dependency
swagger-ui
from 2 to 3. - If the effort is reasonable then do it.
Cross-posting #250 (comment)
Upgrading to swagger-ui@3
is a lot of effort. See #209 for the previous attempt made by @STRML .
The following issue is the biggest blocker:
loopback-swagger need to produce auth metadata - see strongloop/loopback-swagger#65
The pull request also says:
The npm package no longer exports a bundle. I'm not sure if this is intentional. For this reason, I've added a dev-only script to copy from github releases.
I think this is no longer relevant, we are successfully using https://www.npmjs.com/package/swagger-ui-dist in LB4.
Proposed by @bajtos:
To fix the vulnerability from swagger-api/swagger-ui#3847:
- Submit a PR to
swagger-ui
to backport the patch from swagger-api/swagger-ui#3848 intoswagger-ui@2
instead of upgrading toswagger-ui@3
.
It seems like the files where the vulnerability exists in swagger-ui@3
don't exist on swagger-ui@2
, so there's no way to backport the patch (also the issue's title, XSS Vulnerability with Swagger UI v3
, mentions it's for v3). Since the effort to upgrade the dependency was agreed to be too much, should we close the issue? @strongloop/loopback-maintainers
Edit: if there are no objections, I'll close the issue but we can reopen it if needed.
I was able to reproduce the issue on a LoopBack 3 application using swagger-ui@2
, so I'm reopening this issue.
Closing this issue as no vulnerabilities are reported when creating a new LoopBack 3 app or when doing npm install
on this repo where swagger-ui@2.x
is a dependency.