High severity security vulnerabilities introduced by the js-yaml v3.5.3 Tangram fork

Question

High severity security vulnerabilities introduced by the js-yaml v3.5.3 Tangram fork

rokotyan opened this issue 4 years ago · 1 comments

TANGRAM VERSION:
Tangram version: 0.21.1
The js-yaml fork used in Tangram has high severity security vulnerabilities according to npm audit. That makes it difficult to use Tangram in any kind of enterprise product. Is it possible to update js-yaml to version 3.13.1 or later?

ENVIRONMENT:
macOS 10.15.7

TO REPRODUCE THE ISSUE, FOLLOW THESE STEPS:
Add Tangram as a dependency to your project. Run npm audit (or yarn audit)

RESULT:

js-yaml  <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813

EXPECTED RESULT:
npm audit should not find vulnerabilities related to Tangram.

Answer 1 · 2024-02-14T09:09:25.000Z

Any updates on this?