Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2020-28502: xmlhttprequest-ssl-1.5.5.tgz #915

Open
jeklein opened this issue Mar 24, 2021 · 3 comments
Open

CVE-2020-28502: xmlhttprequest-ssl-1.5.5.tgz #915

jeklein opened this issue Mar 24, 2021 · 3 comments

Comments

@jeklein
Copy link

jeklein commented Mar 24, 2021

Vulnerability registered for nested dependency with xmlhttprequest-ssl-1.5.5. Upgrade to 1.7.0 should remediate.

I can work on the PR, but if someone gets it sooner, great.

Additional Data

Dependency map:
@serverless/components-3.7.7.tgz

 -> platform-client-china-2.1.9.tgz

   -> utils-china-1.0.14.tgz

     -> socket.io-client-2.4.0.tgz

       -> engine.io-client-3.5.1.tgz

         -> xmlhttprequest-ssl-1.5.5.tgz
@flisboac
Copy link

flisboac commented May 4, 2021
edited

There is an advisory for that: https://npmjs.com/advisories/1665.

@KilleRBBC
Copy link

There is an issue in the utils-china package which seems to be related, and should fix the upstream dependency chain if resolved, as well.
https://github.com/serverlessinc/utils-china/issues/73

@cschroedl-gov
Copy link

Relates to serverless/serverless#9431

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flisboac @cschroedl-gov @jeklein @KilleRBBC