This is an automated email from the ASF dual-hosted git repository. skygo pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/netbeans.git
The following commit(s) were added to refs/heads/master by this push: new b2c3f01 [NETBEANS-4280] - cleanup potential security breaches new 0eff9c8 Merge pull request #2110 from BradWalker/cleanup_security_alerts b2c3f01 is described below commit b2c3f01001de5b648b9909b9e01245c17f92a2d7 Author: Brad Walker <bwal...@musings.com> AuthorDate: Wed Apr 29 17:02:02 2020 -0600 [NETBEANS-4280] - cleanup potential security breaches There are a few known security breaches in the sample source.. Specifically the following alerts: CVE-2019-5484 Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted. CVE-2019-5413 An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1. CVE-2017-16137 The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue. I'm not saying these are critical. But, it's better we fix them to prevent any possibility of using Netbeans IDE to allow someone to exploit this. As well as set the proper example. --- .../javascript.nodejs/samples_src/MessagesAngular/package.json | 2 +- .../javascript.nodejs/samples_src/MessagesExpress/package.json | 6 +++--- .../javascript.nodejs/samples_src/MessagesKnockout/package.json | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json b/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json index ea851f1..877fc23 100644 --- a/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json +++ b/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json @@ -10,7 +10,7 @@ "dependencies": { "express": "^4.10.1", "body-parser": "^1.4.3", - "bower": "~1.3.12" + "bower": "~1.8.8" }, "devDependencies": { "gulp": "^3.8.10", diff --git a/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json b/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json index 5664cdf..accbe7e 100644 --- a/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json +++ b/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json @@ -11,11 +11,11 @@ "dependencies": { "body-parser": "~1.10.2", "cookie-parser": "~1.3.3", - "debug": "~2.1.1", + "debug": "~2.6.9", "express": "~4.11.1", "jade": "~1.9.1", - "morgan": "~1.5.1", - "bower" : "~1.3.12" + "morgan": "~1.9.1", + "bower" : "~1.8.8" }, "devDependencies": { "grunt": "^0.4.5", diff --git a/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json b/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json index d407fb3..40bbc89 100644 --- a/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json +++ b/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json @@ -6,7 +6,7 @@ "dependencies": { "express": "^4.10.1", "body-parser": "^1.4.3", - "bower" : "~1.3.12" + "bower" : "~1.8.8" }, "devDependencies": { "grunt": "^0.4.5", --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists