Aspnetcore: React SPA template security issue - update serialize-javascript package

Created on 14 Feb 2020 · 8Comments · Source: dotnet/aspnetcore

Current React SPA template has security issue.
In order to keep things secured by default serialize-javascript needs to be updated.

See https://github.com/advisories/GHSA-h9rv-jmmf-4pgx

Done area-mvc bug

Source

yahorsi

Most helpful comment

The vulnerability here doesn't affect how we use the package as we're not using untrusted input, but rather to compile up known entities, but we will update it as a matter of course.

Please note for future security issues a github issue is not the best place to report them. Please consider using our coordinated disclosure route, as highlighted when you created issues. Security issues reported through [email protected] are eligible for our bug bounty program. Github issues are not eligible.

blowdart on 14 Feb 2020

👍2

All 8 comments

@yahorsi thanks for contacting us.

We'll look into this. We believe that this is part of the current template, so it is very likely you can do npm audit fix to fix it.

javiercn on 14 Feb 2020

The idea of that issue is that IMHO template must be as secure as possible and so if there is security issue it is good idea to update the template and fix it

yahorsi on 14 Feb 2020

The vulnerability here doesn't affect how we use the package as we're not using untrusted input, but rather to compile up known entities, but we will update it as a matter of course.

blowdart on 14 Feb 2020

👍2

Sorry and thank you for pointing out the right way )

yahorsi on 14 Feb 2020

Not a problem at all, I just enjoy paying out bounty money and it's a shame when I can't!

blowdart on 14 Feb 2020

😄1

Damn, now I feel even worse :)

yahorsi on 14 Feb 2020

@javiercn is already working on updating the packages, so this will be covered too