Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Outdated dependency CVE-2020-7753 #3568

Closed
D-3lf opened this issue Oct 30, 2020 · 4 comments
Closed

Outdated dependency CVE-2020-7753 #3568

D-3lf opened this issue Oct 30, 2020 · 4 comments
Assignees
@compulim
Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-replied-to Required for internal reporting. Do not delete. customer-reported Required for internal Azure reporting. Do not delete. Duplicate This issue or pull request already exists
Milestone
R12

Comments

@D-3lf
Copy link

D-3lf commented Oct 30, 2020

Screenshots

Version

4.10.1 NPM package

To determine what version of Web Chat you are running, open your browser's development tools, and paste the following line of code into the console.

[].map.call(document.head.querySelectorAll('meta[name^="botframework-"]'), function (meta) { return meta.outerHTML; }).join('\n')

If you are using Web Chat outside of a browser, please specify your hosting environment. For example, React Native on iOS, Cordova on Android, SharePoint, PowerApps, etc.

Describe the bug

Web Chat depends on Remark version 10.0.1 which contains a package with the CVE-2020-7753 vulnerability.
The path to the vulnerable library is:
Web Chat <- botframework-webchat-component <- remark 10.0.1 <- remark-parse 6.0.3 <- trim 0.0.1

Steps to reproduce

N/A it exists in the latest version

Expected behavior

Not having CVSS V3 7.5/10 vulnerabilities.

Additional context

Upgrading to remark 13 will fix this

[Bug]
@D-3lf D-3lf added Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-reported Required for internal Azure reporting. Do not delete. labels Oct 30, 2020
@corinagum
Copy link
Contributor

Thanks for filing this issue. This is potentially related to #3360, depending on if we move away from this package or not. Assigning to @compulim since he is assigned dev for 3360

@corinagum corinagum added the customer-replied-to Required for internal reporting. Do not delete. label Oct 30, 2020
@mrivera-ms
Copy link

@compulim could you please take a look?

@axelsrz axelsrz added this to the R12 milestone Nov 23, 2020
@compulim
Copy link
Contributor

We will need to take out remark@10 as we tested @11 doesn't work with IE11. And we also have an accessibility bug related to strip-markdown (and remark) that it is incapable of removing HTML tags from Markdown.

@corinagum
Copy link
Contributor

I am closing this as a dupe of #3360 for consolidation.

@corinagum corinagum mentioned this issue Jan 13, 2021
Closed
@corinagum corinagum added the Duplicate This issue or pull request already exists label Jan 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@compulim compulim

Labels
Bot Services Required for internal Azure reporting. Do not delete. Do not change color. bug Indicates an unexpected problem or an unintended behavior. customer-replied-to Required for internal reporting. Do not delete. customer-reported Required for internal Azure reporting. Do not delete. Duplicate This issue or pull request already exists
Projects
None yet
Milestone
R12
Development

No branches or pull requests
5 participants
@compulim @axelsrz @D-3lf @corinagum @mrivera-ms