Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-6h5x-7c5m-7cr7] Exposure of Sensitive Information in eventsource #366

Conversation

DaleGardner
Copy link

Updates

  • Affected products
  • References

@github-actions github-actions bot changed the base branch from main to DaleGardner/advisory-improvement-366 June 7, 2022 19:34
@DaleGardner
Copy link
Author

This is updating the advisory to reflect that eventsource v1.1.1 did not actually drop the "original" dependency, hence it is still vulnerable.

@advisory-database advisory-database bot closed this Jun 8, 2022
@github-actions github-actions bot deleted the DaleGardner-GHSA-6h5x-7c5m-7cr7 branch June 8, 2022 19:10
@shelbyc
Copy link
Contributor

shelbyc commented Jun 9, 2022

According to the thread provided in the community contribution and the resulting pull request, version 1.1.1 is vulnerable to a different and independently fixable issue that would need its own advisory and is outside the scope of this GHSA. You can encourage the maintainer to publish a separate advisory to clear up confusion between the two issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants