Releases: Stassi/leaf
Resolved "Regular expression denial of service (ReDoS) in cross-spawn"
Changelog: v0.0.77...v0.0.78
Pull request: #78
Resolves potential vulnerability: Regular expression denial of service (ReDoS) in cross-spawn
Resolution to potential vulnerability
The cross-spawn library was vulnerable to a high-severity regular expression denial-of-service (ReDoS) attack due to improper input sanitization. This could result in an increase in CPU usage and the program crashing from a very large and well-crafted string.
View the full security disclosure at the project's security policy document.
Solution
cross-spawn@^7.0.5 was set as an npm override, ensuring npm will no longer the install vulnerable versions of cross-spawn required by serve in this project.
Update required
If any project requires a version of @stassi/leaflet prior to v0.0.78, run npm update immediately to ensure the latest security updates are received.
Resolved 2/2 "Unsafe HTML construction in leaflet library input"
Changelog: v0.0.36...v0.0.37
Pull request: #37
Resolves potential vulnerability (2 of 2): Unsafe HTML construction in leaflet library input
Resolution to potential vulnerability (2 of 2)
The leaflet library was found constructing HTML dynamically based on potentially unsafe input, which could allow attackers to inject untrusted HTML or scripts into the web page, leading to a cross-site scripting (XSS) vulnerability.
View the full security disclosure at the project's security policy document.
Solution
innerHTML attribute mutations in client-side leaflet tutorials are sanitized by wrapping "dirty" values in DOMPurify.sanitize(...), fully resolving the potential vulnerability.
Update required
If any project requires a version of @stassi/leaflet prior to v0.0.37, run npm update immediately to ensure the latest security updates are received.
Resolved 1/2 "Unsafe HTML construction in leaflet library input"
Changelog: v0.0.33...v0.0.34
Pull request: #34
Partially resolves potential vulnerability (1 of 2): Unsafe HTML construction in leaflet library input
Partial resolution to potential vulnerability (1 of 2)
The leaflet library was found constructing HTML dynamically based on potentially unsafe input, which could allow attackers to inject untrusted HTML or scripts into the web page, leading to a cross-site scripting (XSS) vulnerability.
View the full security disclosure at the project's security policy document.
Solution (partial)
innerHTML attribute mutations in leaflet are sanitized at build time with DOMPurify.sanitize(...) wrappers, partially resolving the potential vulnerability.
Update required
If any project requires a version of @stassi/leaflet prior to v0.0.34, run npm update immediately to ensure the latest security updates are received.
Resolved "Regular expression denial of service (ReDoS) in path-to-regexp"
Changelog: v0.0.30...v0.0.31
Pull request: #31
Resolves potential vulnerability: Regular expression denial of service (ReDoS) in path-to-regexp
Resolution to potential vulnerability
The path-to-regexp library was vulnerable to a medium-to-high-severity regular expression denial-of-service (ReDoS) attack when handling multiple parameters in a single segment separated by certain characters. This could result in excessive backtracking, degrading performance and potentially causing a denial-of-service (DoS).
View the full security disclosure at the project's security policy document.
Solution
path-to-regexp@^3.3.0 was set as an npm override, ensuring npm will no longer the install vulnerable versions of path-to-regexp required by serve in this project.
Update required
If any project requires a version of @stassi/leaflet prior to v0.0.31, run npm update immediately to ensure the latest security updates are received.
Resolved "DOM clobbering gadget in rollup bundled scripts leading to XSS"
Changelog: v0.0.29...v0.0.30
Pull request: #30
Resolves potential vulnerability: DOM clobbering gadget in rollup bundled scripts leading to XSS
Resolution to potential vulnerability
A high-severity DOM clobbering vulnerability was identified in Rollup-bundled scripts when using formats like cjs, umd, or iife. This allowed attackers to manipulate the document.currentScript property and dynamically load scripts from malicious sources, potentially leading to cross-site scripting (XSS).
View the full security disclosure at the project's security policy document.
Solution
Installed rollup@^4.22.4, resolving the potential vulnerability.
Update required
If any project requires a version of @stassi/leaflet prior to v0.0.30, run npm update immediately to ensure the latest security updates are received.