Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

sdavids · 2024-09-15T09:57:00Z

$ mkdir /tmp/test && cd "$_"
$ npm i --save-dev browser-sync@3.0.2
$ npm audit
# npm audit report

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install browser-sync@2.26.2, which is a breaking change
node_modules/send
  browser-sync  >=2.12.1
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/browser-sync
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

max-holland · 2024-09-17T10:05:30Z

+1

yokoishioka · 2024-09-17T23:28:27Z

I just submitted a PR for this and to resolve the one for sever-static as well: #2087

rmch91 · 2024-09-18T13:52:04Z

+1

shakyShane · 2024-09-18T14:02:29Z

I'll sort this later today, thanks :)

sdavids changed the title ~~Publish a new release with send >= 0.19.0~~ Publish a new release with send >= 0.19.0; CVE-2024-43799 Sep 15, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

sdavids commented Sep 15, 2024

max-holland commented Sep 17, 2024

yokoishioka commented Sep 17, 2024

rmch91 commented Sep 18, 2024

shakyShane commented Sep 18, 2024

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

Publish a new release with send >= 0.19.0; CVE-2024-43799 #2086

Comments

sdavids commented Sep 15, 2024

max-holland commented Sep 17, 2024

yokoishioka commented Sep 17, 2024

rmch91 commented Sep 18, 2024

shakyShane commented Sep 18, 2024