GithubHelp home page GithubHelp logo

Comments (5)

nabdelgadir avatar nabdelgadir commented on August 17, 2024 2

Closing this issue as no vulnerabilities are reported when creating a new LoopBack 3 app or when doing npm install on this repo where [email protected] is a dependency.

from loopback-component-explorer.

bajtos avatar bajtos commented on August 17, 2024

Cross-posting #250 (comment)

Upgrading to swagger-ui@3 is a lot of effort. See #209 for the previous attempt made by @STRML .

The following issue is the biggest blocker:

loopback-swagger need to produce auth metadata - see strongloop/loopback-swagger#65

The pull request also says:

The npm package no longer exports a bundle. I'm not sure if this is intentional. For this reason, I've added a dev-only script to copy from github releases.

I think this is no longer relevant, we are successfully using https://www.npmjs.com/package/swagger-ui-dist in LB4.

from loopback-component-explorer.

nabdelgadir avatar nabdelgadir commented on August 17, 2024

Proposed by @bajtos:

To fix the vulnerability from swagger-api/swagger-ui#3847:

  • Submit a PR to swagger-ui to backport the patch from swagger-api/swagger-ui#3848 into swagger-ui@2 instead of upgrading to swagger-ui@3.

from loopback-component-explorer.

nabdelgadir avatar nabdelgadir commented on August 17, 2024

It seems like the files where the vulnerability exists in swagger-ui@3 don't exist on swagger-ui@2, so there's no way to backport the patch (also the issue's title, XSS Vulnerability with Swagger UI v3, mentions it's for v3). Since the effort to upgrade the dependency was agreed to be too much, should we close the issue? @strongloop/loopback-maintainers

Edit: if there are no objections, I'll close the issue but we can reopen it if needed.

from loopback-component-explorer.

nabdelgadir avatar nabdelgadir commented on August 17, 2024

I was able to reproduce the issue on a LoopBack 3 application using swagger-ui@2, so I'm reopening this issue.

from loopback-component-explorer.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.