Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Code injection security vulnerability at js-yaml
See original GitHub issueHi there,
Thanks for making cosmiconfig!
You have a dependency on js-yaml@3.13.0. Please see this report of a High severity vulnerability in this module.
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (3 by maintainers)
Top Results From Across the Web
Code Injection in js-yaml · GHSA-8j8c-7jfh-h6hx - GitHub
1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have ...
Read more >js-yaml@3.0.2 - Snyk Vulnerability Database
js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Arbitrary Code Execution.
Read more >Code Execution via YAML in JS-YAML Node.js Module
The JS-YAML module for Node.js contained a code execution vulnerability prior to version 2.0.5. The maintainers of JS-YAML have patched this vulnerability ......
Read more >parsing of malicious YAML with load() allows for code execution
Product: Security Response ... Assignee: Red Hat Product Security ... The js-yaml package, before version 3.13.1, is vulnerable to code execution when ...
Read more >Code Injection in js-yaml - Vulners
Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Removing the lock file and a clean install would pull in the latest version of
js-yaml. So for anybody who wishes to fix this issue immediately, there is no need to wait for a fix from this library(we’ll do it though).if your issue is time sensitive then you should fork the repo and depend on that in the meantime. I assume this issue will be addressed within the next couple weeks, but we can’t promise anything.