Vulnerability

[lexiconwriter]

What happened?

package.json:

"obsidian-calendar-ui": "^0.3.12",

The Vulnerable module is svelte.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25875

The fix came in svelte@3.49.0

https://snyk.io/advisor/npm-package/obsidian-calendar-ui

DQL

No response

JS

No response

Dataview Version

0.5.66

Obsidian Version

1.5.11

OS

Windows

[jeetsukumaran]

I've been getting this for a while too in projects where dataview is installed:

$ npm audit
# npm audit report

svelte  <3.49.0
Severity: moderate
Svelte vulnerable to XSS when using objects during server-side rendering - https://github.com/advisories/GHSA-wv8q-r932-8hc7
fix available via `npm audit fix --force`
Will install obsidian-dataview@0.4.21, which is a breaking change
node_modules/svelte
  obsidian-calendar-ui  *
  Depends on vulnerable versions of svelte
  node_modules/obsidian-calendar-ui
    obsidian-dataview  >=0.4.22
    Depends on vulnerable versions of obsidian-calendar-ui
    node_modules/obsidian-dataview

3 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Running "npm audit fix --force" breaks the build in ways that I do not yet understand.

Just ignoring the message seems to work :), but it is very confusing for users, especially when following the "fix" instructions makes things break more :)

[AB1908]

I honestly doubt this is something to worry about given that Obsidian and this plugin both run entirely offline. May be worth upgrading deps though.

[GottZ]

deps need a push. yes. this issue is nothing to worry about tho, since the effected ssr svelte component is not even used in here at all.
this issue is a false-positive non-issue.

still.. to remove that silly message people see, we should definitely push the dep.

[lexiconwriter]

to remove that silly message people see, we should definitely push the dep

Better it is: https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/