-
-
Notifications
You must be signed in to change notification settings - Fork 384
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability #2288
Comments
I've been getting this for a while too in projects where dataview is installed:
Running "npm audit fix --force" breaks the build in ways that I do not yet understand. Just ignoring the message seems to work :), but it is very confusing for users, especially when following the "fix" instructions makes things break more :) |
I honestly doubt this is something to worry about given that Obsidian and this plugin both run entirely offline. May be worth upgrading deps though. |
deps need a push. yes. this issue is nothing to worry about tho, since the effected ssr svelte component is not even used in here at all. still.. to remove that silly message people see, we should definitely push the dep. |
Better it is: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/ |
What happened?
package.json:
"obsidian-calendar-ui": "^0.3.12",
The Vulnerable module is svelte.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25875
The fix came in svelte@3.49.0
https://snyk.io/advisor/npm-package/obsidian-calendar-ui
DQL
No response
JS
No response
Dataview Version
0.5.66
Obsidian Version
1.5.11
OS
Windows
The text was updated successfully, but these errors were encountered: