npm project @microsoft/signalr depend on security vulnerable version of eventsource #41728
Closed
1 task done
Labels
area-signalr
Includes: SignalR clients and servers
Comments
|
@microsoft/signalr will use version 1.1.1 today when you download and install it in your project. 1.1.1 does not have the vulnerability mentioned EventSource/eventsource#273 (comment) And we are already updating to 2.0.2 on main, see #41270 |
ghost
locked as resolved and limited conversation to collaborators
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is there an existing issue for this?
Describe the bug
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository eventsource/eventsource prior to v2.0.2.
@microsoft/signalr latest version depending on eventsource "^1.0.7".
Expected Behavior
Please update and release new version of @microsoft/signalr depend on v2.0.2 or upper version of eventsource.
Steps To Reproduce
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: