security issue grunt

  • Resolved jseutens

    (@jseutens)


    2 years, 9 months ago

    https://github.com/jseutens/business-profile-tailored/security/dependabot/1

    The package grunt before 1.3.0 are vulnerable to Arbitrary Code Execution due to the default usage of the function load() instead of its secure replacement safeLoad() of the package js-yaml inside grunt.file.readYAML.

    When I cloned your plugin to git they notified me of this , please check it out.

    I need the fax and cellphone field so i’m adding them myself , not really all working but for now its fine for what i want as i don’t use the widget or gutenberg , only the shortcode.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support jaysupport

    (@jaysupport)

    New versions are released to correct any potential security issues. That’s normally how software works. With that in mind, what is the reason for which you are mentioning this? Why are you using a version of the plugin from 2019 and that you say may be vulnerable when there are much newer versions available without the issue you reference?

    Thread Starter jseutens

    (@jseutens)

    ok , i copied the up to date plugin yhat i changed on my site and then added it to github.
    Maybe these are then files and folders left in the plugin as i’m already a long time user (since Nate was still the owner) . I will check by using a frech copy of the plugin. and come back to you.

    • This reply was modified 2 years, 9 months ago by jseutens.
    • This reply was modified 2 years, 9 months ago by jseutens.
    Thread Starter jseutens

    (@jseutens)

    https://plugins.trac.www.ads-software.com/browser/business-profile/trunk/package.json

    your version of this file is also 2 years old , it mentions “grunt”: “~1.0.0”

    Plugin Support jaysupport

    (@jaysupport)

    Ah, ok. So, those files were there as part of the way Nate compiled/deployed the plugin using node packages. We don’t do/use this. And those files are not used for any of the plugin functionality itself. We originally kept them in version 2.0.0 to run tests and for checking backwards compatibility. However, they are no longer necessary and we will remove them in the next update.

    Thanks for getting back to me and clarifying your concern.

    Thread Starter jseutens

    (@jseutens)

    no problem , happy to help ??
    case closed ??

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘security issue grunt’ is closed to new replies.