Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update redoc min version because of a critical vulnerability in dompurify #392

Open
HeyRatFans opened this issue Feb 5, 2020 · 7 comments
Open

Update redoc min version because of a critical vulnerability in dompurify #392

HeyRatFans opened this issue Feb 5, 2020 · 7 comments

Comments

@HeyRatFans
Copy link

Detailed description

npm audit reports the following critical vulnerability in dompurify as used by redoc.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dompurify                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ redoc                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ redoc > dompurify                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1205                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Cross-Site Scripting                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ dompurify                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ redoc                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ redoc > dompurify                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1223                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Updating to redoc@2.0.0-rc19 or newer will update dompurify and fix the vulnerability
@pkuczynski
Copy link

@MikeRalphson @djtarazona any chance this could be fixed and released soon?

@MikeRalphson
Copy link
Contributor

I have no commit rights to this repository, and believe it is de facto unmaintained.

@pkuczynski
Copy link

Thats really a shame :/

@MikeRalphson
Copy link
Contributor

Maintained projects:

@pkuczynski
Copy link

I ended up using spectral although they have a quite annoying issue at the moment stoplightio/spectral#955

@HeyRatFans
Copy link
Author

Such a shame this is abandoned :(

@MikeRalphson @pkuczynski do you guys have any suggestions for compiling multiple swagger docs into a single file? My work maintains an API and the swagger documentation for it is maintained in separate files, one for each endpoint. Obviously this helps with maintaining the files, but makes swagger very slow on initial load which is rather unbearable.

Thanks!

@MikeRalphson
Copy link
Contributor

@HeyRatFans oas-kit as above or https://github.com/APIDevTools/json-schema-ref-parser

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MikeRalphson @pkuczynski @HeyRatFans