Dependency on vulnerable version of send package #175
Labels
Comments
ghost
mentioned this issue
|
This appears to be fixed as of |
yep ^ @DBAKANG-GIT feel free to close if you're happy |
|
Thank you |
|
When will this new version will be released as stable? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I'm using serve-static in my project and I noticed that it depends on the send package version 0.18.0, which has a known security vulnerability (see CVE-2024-43799](GHSA-m6fv-jmcg-4jfg)
The vulnerability is patched in send version 0.19.0. However, the latest version of serve-static still depends on a vulnerable version of send.
Could you please update the send dependency to a secure version to fix this vulnerability?
Thank you for your attention to this matter.
"serve-static": {
"version": "1.16.0",
"resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.0.tgz",
"integrity": "sha512-pDLK8zwl2eKaYrs8mrPZBJua4hMplRWJ1tIFksVC3FtBEBnl8dxgeHtsaMS8DhS9i4fLObaon6ABoc4/hQGdPA==",
"peer": true,
"dependencies": {
"encodeurl": "~1.0.2",
"escape-html": "~1.0.3",
"parseurl": "~1.3.3",
"send": "0.18.0"
}
}
The text was updated successfully, but these errors were encountered: