[Bug] Security vulnerability in DOMPurify@3.0.5 (used by VSCode & Monaco) #4692
Comments
|
It looks like DOMPurify was bumped here https://github.com/microsoft/vscode/pull/228773/files but not yet vendored like in this other DOMPurify bump PR - https://github.com/microsoft/vscode/pull/189368/files |
|
@rzhao271 Just wanted to at you as you merged in the version update for DOMPurify |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Reproducible in vscode.dev or in VS Code Desktop?
Reproducible in the monaco editor playground?
Monaco Editor Playground Link
No response
Monaco Editor Playground Code
No response
Reproduction Steps
No response
Actual (Problematic) Behavior
Our OWASP scan detected an issue in DOMPurify@3.0.5 CVE-2024-45801 which seems to be used by the Monaco editor (VSCode): https://github.com/microsoft/vscode/blob/main/src/vs/base/browser/dompurify/dompurify.js
Please update to DOMPurify@3.1.3 to get rid of that vulnerability.
Thanks
Expected Behavior
There should be no vulnerability issues.
Additional Context
No response
The text was updated successfully, but these errors were encountered: