workbox-webpack-plugin has indirect dependency on vulnerable ejs 2.7.4 package - needs update #2927
Comments
fuzail-ahmed
pushed a commit
to fuzail-ahmed/workbox
that referenced
this issue
Oct 18, 2021
fuzail-ahmed
added a commit
to fuzail-ahmed/workbox
that referenced
this issue
Oct 18, 2021
jeffposnick
added a commit
that referenced
this issue
Nov 2, 2021
….1 to 2.2.2 (#2927) (#2962) * upgrade to @surma/rollup-plugin-off-main-thread dependencies from 1.4.1 to 2.2.2 (#2927) * Fix validation logic in test * Update deps Co-authored-by: Jeff Posnick <[email protected]>
This was referenced Nov 27, 2023
This was referenced Apr 30, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Welcome! Please use this template for reporting bugs or requesting features. For questions about using Workbox, the best place to ask is Stack Overflow, tagged with
[workbox]: https://stackoverflow.com/questions/ask?tags=workboxLibrary Affected:
workbox-webpack-plugin, workbox-build
Issue or Feature Request Description:
workbox-webpack-plugin has indirect dependency on ejs 2.7.4 with Arbitrary Code Injection vulnerability caused by filename which isn't sanitized for display. The issue is fixed in ejs version 3.1.6. (mde/ejs@abaee2b)
Are there plans to upgrade the dependencies to address this?
Indirect dependency chain:
workbox-webpack-plugin
--> workbox-build
--> @surma/rollup-plugin-off-main-thread
--> ejs
The fix should really be to update @surma/rollup-plugin-off-main-thread to use the new ejs version, and then the dependencies, above it, must be updated as well.
The text was updated successfully, but these errors were encountered: