Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] security vulnerabilities in libraries #241

Open
Lastaapps opened this issue May 28, 2024 · 3 comments
Open

[BUG] security vulnerabilities in libraries #241

Lastaapps opened this issue May 28, 2024 · 3 comments
Assignees
@skrapeit
Labels
bug Something isn't working

Comments

@Lastaapps
Copy link

Describe the bug
Hi, I just included the version 1.3.0-alpha.2 skrape.it into my project, and IntelliJ reports that the package depends on vulnerable versions of quite a few libraries. When I try version 1.2.2, it's the same. I don't say that users of this library are directly vulnerable, but it's suspicious at least. All the vulnerabilities have quite a high score, so it would make sense just to make 1.2.3 release just with these libs bumped. Thanks for the great project!

image

All the vulnerabilities reported by IntelliJ
@Lastaapps Lastaapps added the bug Something isn't working label May 28, 2024
@Lastaapps
Copy link
Author

A potential fix for anyone reading this is to just update the libraries on your side, this should be safe.

    implementation("ch.qos.logback:logback-core:1.4.12")
    implementation("ch.qos.logback:logback-classic:1.4.12")
    implementation("commons-net:commons-net:3.9.0")
    implementation("org.apache.commons:commons-text:1.10.0")
    implementation("org.jsoup:jsoup:1.15.3")
    implementation("xalan:xalan:2.7.3")

@jilvin
Copy link

jilvin commented Jan 5, 2025

Shouldn't we get this fixed? Anyone tracking this issue somewhere else?

@jilvin
Copy link

jilvin commented Jan 5, 2025

Issue #202 covers a subset of the vulnerabilities reported here in this issue. Fixing this issue should close #202 too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skrapeit skrapeit

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jilvin @skrapeit @Lastaapps