npm README

[zeg-io]

The NPM readme for this module states there is a XSS vulnerability, however this readme is different, and the npm audit shows no vulnerabilities.

Was the issue resolved and just not republished to npm or is the issue still there but no longer in this readme?

[pvorb]

The vulnerability was fixed in 1.0.4. I removed the note about the vulnerability in 98dc28c. It's still on npm because there was no new release since that commit. Only releases <= 1.0.3 are marked to be vulnerable and would be found by npm audit.

Does that answer your question?

[hiendv]

@pvorb Pardon me, how is it "no new release since that commit"? The latest release is 2.1.2 but the npm's README is outdated?

[pvorb]

That commit was after the 2.1.2 release.

[hiendv]

Got it. I thought the commit's somewhere between 1.0.4 and 2.1.2 🤣

[pvorb]

Yeah, no worries. I had to revisit the commit history to make sure I wasn't wrong.

[jayaddison]

The text 'XSS Vulnerability Detected' appears on the npmjs page for clone at the moment, as part of the readme (just before the 'Installation' heading). Is that the same issue as reported here?

[pvorb]

Yes

[gubo]

hi ... may i ask what the xss vulnerability was due to, and what was the fix ? i cant seem to find the fix in the commits ...
thanks much :)