You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: audit-ci.jsonc
+8-1Lines changed: 8 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -14,6 +14,13 @@
14
14
// It is used by the "make-fetch-happen" and "got" packages which are only used to communicate with the npm registry configured by the user (registry.npmjs.org by default).
15
15
// Although this ReDoS attack is mainly applicable to servers, in theory a server could also send malicious headers to the client (UI5 Tooling) to cause an unexpected slowdown.
16
16
// However, this configured npm registry is already considered a trusted connection as code is downloaded and run by the client.
17
-
"GHSA-rc47-6667-2j5j"
17
+
"GHSA-rc47-6667-2j5j",
18
+
19
+
// The package "local-web-server" uses an open CORS policy that can easily be exploited.
20
+
// In essence, if a "Access-Control-Allow-Origin" header is not provided, it will return a
21
+
// header with the value of the origin from the request.
22
+
// This shouldn't be an issue here as this package is in devDependencies and used to
23
+
// be for local development. Currently, it doesn't seem to be used anywhere in the repo.
0 commit comments