Fix the vulnerability caused by swagger-ui

[jannyHou]

Description

See PR #253, the vulnerability report requires an upgrade from [email protected] to [email protected].

There is breaking change in [email protected] to support OpenAPI 3.0.0. We need to

• Figure out what's the effort to upgrade dependency swagger-ui from 2 to 3.
• If the effort is reasonable then do it.

[bajtos]

Cross-posting #250 (comment)

Upgrading to swagger-ui@3 is a lot of effort. See #209 for the previous attempt made by @STRML .

The following issue is the biggest blocker:

loopback-swagger need to produce auth metadata - see strongloop/loopback-swagger#65

The pull request also says:

The npm package no longer exports a bundle. I'm not sure if this is intentional. For this reason, I've added a dev-only script to copy from github releases.

I think this is no longer relevant, we are successfully using https://www.npmjs.com/package/swagger-ui-dist in LB4.

[nabdelgadir]

Proposed by @bajtos:

To fix the vulnerability from swagger-api/swagger-ui#3847:

• Submit a PR to swagger-ui to backport the patch from Add URL sanitizer to avoid href XSS attack vector swagger-api/swagger-ui#3848 into swagger-ui@2 instead of upgrading to swagger-ui@3.

[nabdelgadir]

It seems like the files where the vulnerability exists in swagger-ui@3 don't exist on swagger-ui@2, so there's no way to backport the patch (also the issue's title, XSS Vulnerability with Swagger UI v3, mentions it's for v3). Since the effort to upgrade the dependency was agreed to be too much, should we close the issue? @strongloop/loopback-maintainers

Edit: if there are no objections, I'll close the issue but we can reopen it if needed.

[nabdelgadir]

I was able to reproduce the issue on a LoopBack 3 application using swagger-ui@2, so I'm reopening this issue.

[nabdelgadir]

Closing this issue as no vulnerabilities are reported when creating a new LoopBack 3 app or when doing npm install on this repo where [email protected] is a dependency.