jszip dependency 2.6.1 is vulnerable to attack CWE-29 #176
Comments
|
Technically you have 2.7.0 now, but it is still has this vuln. I submit PR Stuk/jszip#884 to backport fix, so hopefully this get accepted, so I can re-release secured version. |
|
jszip < 3.8.0 has now had a critical (9.8/10) vulnerability disclosed GHSA-36fh-84j7-cv5h Could you update jszip to latest version to resolve these? |
|
Ping me in couple days, if there would be no response from JSzip I would publish with forked package. |
|
@kant2002 is there any chance to publish this fixes to npm? |
|
@aslubsky and others, I update version to 1.4.1 where I switch to fork of [email protected] which does not have security issues. I start looking for alternatives to jszip with both sync and async API, so I can provide async API without breaking changes. Let me know if you know such alternatives. |
|
Thanks a lot! We also use |
Hi, jszip 2.6.1 dependency is vulnerable to attack CWE-29.
Would be great to get a minor hotfix for this to avoid the vulnerability, if it doesn't impact the codebase much. The versions to update to would be 3.8.0, that doesn't have the vulnerability.
Thanks.
The text was updated successfully, but these errors were encountered: