Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

js-yaml advisory

See original GitHub issue

Is there any plan to update the version of js-yaml at all?

Currently yarn audit yields the following advisory.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.13.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-svg-loader                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-svg-loader > react-svg-core > svgo > js-yaml           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Issue Analytics

State:
Created 4 years ago
Reactions:14
Comments:6 (1 by maintainers)

Top GitHub Comments

13reactions

lasseborlycommented, Apr 15, 2019

It seems to already be fixed in this commit: https://github.com/boopathi/react-svg-loader/commit/e8884d1c1aea1d54e406479b795099b0e74aab75

Would be ice to have a version out with the fix 😃

8reactions

cakasumacommented, Apr 16, 2019

when will be the next release to fix this issue ?

Top Results From Across the Web

Another js-yaml advisory · Issue #4662 · palantir/tslint - GitHub

Successfully merging a pull request may close this issue. [enhancement] Update js-yaml from v3.13.0 to v3.13.1 bjornstar/tslint.

js-yaml@0.3.7 - Snyk Vulnerability Database

js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Arbitrary Code Execution. When an object with an ......

Nodejs js-yaml load() Code Execution - Rapid7

This module can be used to abuse node.js applications that parse user-supplied YAML input using the load() function from the 'js-yaml' ...

CVE-2013-4660 Detail - NVD

The JS-YAML module before 2.0.5 for Node.js parses input without ... http://portal.nodesecurity.io/advisories/js-yaml, Vendor Advisory.

JS-YAML demo. YAML JavaScript parser.

Live example of YAML JavaScript parser right in your browser. Type your YAML code and see result.