Skip to content

web-profiler-bundle - retire.js reports DOMPurify 3.0.9 has known vulnerabilities #59852

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pauljura opened this issue Feb 25, 2025 · 2 comments
Open

web-profiler-bundle - retire.js reports DOMPurify 3.0.9 has known vulnerabilities #59852

pauljura opened this issue Feb 25, 2025 · 2 comments
Labels
Bug Status: Needs Review WebProfilerBundle

Comments

@pauljura
Copy link

Symfony version(s) affected

7.2.3

Description

Hi team,

I'm using retire.js to scan for vulnerabilities in my project and it reports that vendor/symfony/web-profiler-bundle/Resources/views/Script/Mermaid/mermaid-flowchart-v2.min.js includes DOMPurify 3.0.9 which in turn has known vulnerabilities.

I know that web-profiler-bundle is only in dev, but I run the retire command in dev, and the client wants to see it report no vulnerabilities in my project.

Any chance of updating web-profiler-bundle to use a more recent version of Mermaid? Thanks

How to reproduce

  1. Create a new Symfony project
  2. Install retire.js with npm install -g retire
  3. Run retire

Possible Solution

No response

Additional Context

No response
@pauljura pauljura added the Bug label Feb 25, 2025
@fabpot
Copy link
Member

fabpot commented Feb 25, 2025

Would you like to work on a fix?

@MatTheCat
Copy link
Contributor

Also see #54424 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Status: Needs Review WebProfilerBundle
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@fabpot @MatTheCat @xabbuh @carsonbot @pauljura