Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spoofing attack in swagger-ui-dist #231

Closed
haddigan opened this issue May 6, 2022 · 1 comment
Closed

Spoofing attack in swagger-ui-dist #231

haddigan opened this issue May 6, 2022 · 1 comment
Milestone
v1.2.2

Comments

@haddigan
Copy link

haddigan commented May 6, 2022

Dependabot is reporting a vulnerability in the swagger-ui-dist version used by this package:

The swagger-ui-dist package before 4.1.3 for Node.js could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.

The swagger-ui-dist package is listed in the greenkeeper ignore section of the package.json for this project. Is it absolutely necessary to continue using this insecure version or is it possible to update to the latest 4.1.3?
@Mairu
Copy link
Collaborator

Mairu commented May 11, 2022
edited
Loading

I created a new version today with updated dependencies.
For swagger-ui-dist I updated not to v4 which would be a kind of breaking change but to the latest 3.52.2.

My plan for future versions is to exclude swagger-ui-dist as a direct dependency.

@Mairu Mairu added this to the v1.2.2 milestone May 11, 2022
@Mairu Mairu removed the question label May 11, 2022
@Mairu Mairu closed this as completed May 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.2.2
Development

No branches or pull requests
2 participants
@Mairu @haddigan