[ SignalR ] TypeScript EventSource dependency security vulnerability #69546
Comments
|
Tagging subscribers to this area: @tarekgh, @tommcdon, @pjanotti Issue DetailsThe EventSource library had a security issue, and got patched ~1 week ago, just after the last signalr version, the vulnerability is about Information Disclosure in headers ( high risk ), and is causing our DevSecOps pipeline to fail, can you please update the EventSource dependency to last version ?
|
|
Hello @GO3LIN! I'm closing this issue as this repo is for the .NET implementation of EventSource. This particular problem seems be related to the javascript eventsource, which seems to be getting the 1.1 version of eventsource : EventSource/eventsource#273 (comment). Since there may be a javascript package reference from signalr, please feel free to open a tracking issue in https://github.com/signalr/signalr. |
|
FYI ASP.NET Core SignalR is located at https://github.com/dotnet/aspnetcore For this issue specifically, EventSource 1.1.1 is not vulnerable, but most vulnerability databases don't seem to be updated yet. EventSource/eventsource#273 (comment) |
ghost
locked as resolved and limited conversation to collaborators
The EventSource library had a security issue, and got patched ~1 week ago, just after the last signalr version, the vulnerability is about Information Disclosure in headers ( high risk ), and is causing our DevSecOps pipeline to fail, can you please update the EventSource dependency to last version ?
The text was updated successfully, but these errors were encountered: