Skip to content

Commit

Permalink
apply feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
dhmlau committed Nov 19, 2019
1 parent 82a09ef commit 30683f5
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,14 @@ console.log("Explorer mounted at localhost:" + port + "/explorer");
app.listen(port);
```

## swagger-ui vulnerabilities

Regarding the security vulnerability on one of our dependencies `swagger-ui`: https://www.npmjs.com/advisories/985

> Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. For more details, see discussion in https://github.com/strongloop/loopback-component-explorer/issues/263#issuecomment-529385166.

## Upgrading from v1.x

To upgrade your application using loopback-explorer version 1.x, just replace
Expand Down Expand Up @@ -200,11 +208,3 @@ Module Long Term Support (LTS)](http://github.com/CloudNativeJS/ModuleLTS) polic
| 4.x | End-of-Life | Dec 2016 | Apr 2019 |

Learn more about our LTS plan in [docs](https://loopback.io/doc/en/contrib/Long-term-support.html).

## swagger-ui vulnerabilities

There has been a security vulnerability on one of our dependencies `swagger-ui`: https://www.npmjs.com/advisories/985.

> Versions of swagger-ui prior to 3.0.13 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize YAML files imported from URLs or copied-pasted. This may allow attackers to execute arbitrary JavaScript.
LoopBack's API Explorer does not allow clients to import swagger spec from YAML URL/pasted-content. That means loopback-component-explorer **IS NOT AFFECTED** by this vulnerability. For more details, see discussion in https://github.com/strongloop/loopback-component-explorer/issues/263#issuecomment-529385166.

0 comments on commit 30683f5

Please sign in to comment.