Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

High severity vulnerability found in dependency of hapi-swagger

See original GitHub issue

Context

hapi-swagger version: 9.3.1

What are you trying to achieve or the steps to reproduce?

Run vulnerability detection tool such as snyk

Output: screen shot 2019-02-19 at 9 24 17 am

What result did you get?

Because of hapi-swagger’s dependency on handlebars@4.0.12 there is a Prototype Pollution vulnerability being flagged when running snyk.

What did you expect?

hapi-swagger to be using the latest version of handlebars (v4.1.0) which is not affected by this vulnerability.

Issue Analytics

State:
Created 5 years ago
Comments:11 (5 by maintainers)

Top GitHub Comments

1reaction

robmcguinnesscommented, Feb 20, 2019

@rossanthony I got the idea from another user https://github.com/glennjones/hapi-swagger/issues/495#issuecomment-358675357 (re-pasting here):

const HapiSwagger = require('hapi-swagger');
const HapiSwaggerUI = require('hapi-swaggered-ui');

const swagger = {
  plugin: HapiSwagger,
  options: {
    documentationPage: false,
    ...
  },
};

const swaggerUI = {
  plugin: HapiSwaggerUI,
  options: {
    path: '/documentation',
    swaggerEndpoint: '/swagger.json',
    ...
  },
};

...

await server.register(swagger);
await server.register(swaggerUI);

We could just use swagger-ui-dist but maybe we would just be recreating hapi-swaggered-ui. I’m all for anything that makes the UI maintenance easier.

0reactions

robmcguinnesscommented, May 26, 2019

Closed in v10.0.0