[Bug] when 0.53 monaco-editor version will be released with the vulnerability fix? #4738
Comments
|
Hi @joaomoreno, could you please provide us with some information about the release date? Thanks in advance for your help |
|
https://www.npmjs.com/package/monaco-editor is still 0.52.0 |
|
Hi @rzhao271 @mjbvz @joaomoreno As there is no reply in 3 weeks regarding the release date, can we please get an update? |
|
At least, knowing the approx date would be helpful |
|
|
Do you know if new patch update release includes this fix, or we have to wait for minor release (0.53)? |
|
@dreamofdoc As far as I see patch is included https://github.com/microsoft/monaco-editor/pull/4774/files
|
|
@acherkashin Oh I see, thank you! |
|
Just from the diff between 0.52.2 and 0.52.0 it wasn't clear to me if the fix is really included. But if you take a look at http://unpkg.com/monaco-editor@0.52.2/esm/vs/base/browser/dompurify/dompurify.js you can see the version |
|
Fixed in 0.52.2 (https://github.com/microsoft/monaco-editor/blob/release/0.52/CHANGELOG.md#0521).
This is because the monaco editor is built from the VS Code sources, which we reference by its commit hash. That CVE is about "Inefficient Regular Expression Complexity", which does not play a role for the monaco-editor. |
Reproducible in vscode.dev or in VS Code Desktop?
Reproducible in the monaco editor playground?
Monaco Editor Playground Link
No response
Monaco Editor Playground Code
No response
Reproduction Steps
Please answer the question: Do you happen to know when 0.53 monaco-editor version will be released with the vulnerability fix?
#4692 (comment)
Monaco editor has CVE which is fixed and not released for a quite some time for now.
Actual (Problematic) Behavior
No response
Expected Behavior
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: