You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I build my project, I notice that vulnerability CVE-2021-26539, CVE-2021-26540, and SNYK-JS-SANITIZEHTML-585892 detected in package sanitize-html@1.20.1 is directly referenced by postman-collection@3.6.11.
However, postman-collection@3.6.11 is so popular that a large number of latest versions of active and popular downstream projects depend on it (44,096 downloads per week and about 93 downstream projects, e.g., @stoplight/http-spec 4.2.2, @stoplight/prism-cli 4.3.1, @open-wa/wa-automate 4.12.3, @stoplight/elements 7.0.6, postman-to-k6 1.5.0, etc.).
In this case, the vulnerability CVE-2021-26539 can be propagated into these downstream projects and expose security threats to them.
As you can see, postman-collection@3.6.11 is introduced into the above projects via the following package dependency paths:
(1)@open-wa/wa-automate@4.12.3 ➔ postman-2-swagger@0.5.0 ➔ postman-collection@3.6.11 ➔ sanitize-html@1.20.1 ......
I know that it's kind of you to have removed the vulnerability since postman-collection@4.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade postman-collection from version 3.6.11 to (>=4.0.0):
The projects such as postman-2-swagger, which introduced postman-collection@3.6.11, are not maintained anymore. These unmaintained packages can neither upgrade postman-collection nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerabilities from package postman-collection@3.6.11?
Suggested Solution
Since these inactive projects set a version constaint 3.6.* for postman-collection on the above vulnerable dependency paths, if postman-collection removes the vulnerability from 3.6.11 and releases a new patched version postman-collection@3.6.12, such a vulnerability patch can be automatically propagated into the downstream projects.
In postman-collection@3.6.12, maybe you can try to perform the following upgrade: sanitize-html 1.20.1 ➔ ^2.3.2; Note: sanitize-html@2.3.2(>=2.3.2) has fixed the vulnerability CVE-2021-26539, CVE-2021-26540, and SNYK-JS-SANITIZEHTML-585892.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.^_^
The text was updated successfully, but these errors were encountered:
Hi, @codenirvana,
Issue Description
When I build my project, I notice that vulnerability CVE-2021-26539, CVE-2021-26540, and SNYK-JS-SANITIZEHTML-585892 detected in package sanitize-html@1.20.1 is directly referenced by postman-collection@3.6.11.
However, postman-collection@3.6.11 is so popular that a large number of latest versions of active and popular downstream projects depend on it (44,096 downloads per week and about 93 downstream projects, e.g., @stoplight/http-spec 4.2.2, @stoplight/prism-cli 4.3.1, @open-wa/wa-automate 4.12.3, @stoplight/elements 7.0.6, postman-to-k6 1.5.0, etc.).
In this case, the vulnerability CVE-2021-26539 can be propagated into these downstream projects and expose security threats to them.
As you can see, postman-collection@3.6.11 is introduced into the above projects via the following package dependency paths:
(1)
@open-wa/wa-automate@4.12.3 ➔ postman-2-swagger@0.5.0 ➔ postman-collection@3.6.11 ➔ sanitize-html@1.20.1......
I know that it's kind of you to have removed the vulnerability since postman-collection@4.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade postman-collection from version 3.6.11 to (>=4.0.0):
The projects such as postman-2-swagger, which introduced postman-collection@3.6.11, are not maintained anymore. These unmaintained packages can neither upgrade postman-collection nor be easily migrated by the large amount of affected downstream projects.
Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerabilities from package postman-collection@3.6.11?
Suggested Solution
Since these inactive projects set a version constaint 3.6.* for postman-collection on the above vulnerable dependency paths, if postman-collection removes the vulnerability from 3.6.11 and releases a new patched version postman-collection@3.6.12, such a vulnerability patch can be automatically propagated into the downstream projects.
In postman-collection@3.6.12, maybe you can try to perform the following upgrade:
sanitize-html 1.20.1 ➔ ^2.3.2;Note:
sanitize-html@2.3.2(>=2.3.2) has fixed the vulnerability CVE-2021-26539, CVE-2021-26540, and SNYK-JS-SANITIZEHTML-585892.
Thank you for your attention to this issue and welcome to share other ways to resolve the issue.^_^
The text was updated successfully, but these errors were encountered: